Académique Documents
Professionnel Documents
Culture Documents
1
*
10
*
10
2
1
1
1 2
1 1
1
(
(
|
|
.
|
\
|
(
(
|
|
.
|
\
|
F
B
ACE
AVG
or F
B
ACE
AVG
i
i
Period
i
i
Period
Standard BAL-001-0.1a Real Power Balancing Control Performance
Page 2 of 7
where:
L
10
= ) 10 )( 10 ( 65 . 1 10 s i B B
10
is a constant derived from the targeted frequency bound. It is the targeted root-mean-square
(RMS) value of ten-minute average Frequency Error based on frequency performance over a
given year. The bound,
10
, is the same for every Balancing Authority Area within an
Interconnection, and B
s
is the sum of the Frequency Bias Settings of the Balancing Authority
Areas in the respective Interconnection. For Balancing Authority Areas with variable bias, this
is equal to the sum of the minimum Frequency Bias Settings.
R3. Each Balancing Authority providing Overlap Regulation Service shall evaluate Requirement
R1 (i.e., Control Performance Standard 1 or CPS1) and Requirement R2 (i.e., Control
Performance Standard 2 or CPS2) using the characteristics of the combined ACE and
combined Frequency Bias Settings.
R4. Any Balancing Authority receiving Overlap Regulation Service shall not have its control
performance evaluated (i.e. from a control performance perspective, the Balancing Authority
has shifted all control requirements to the Balancing Authority providing Overlap Regulation
Service).
C. Measures
M1. Each Balancing Authority shall achieve, as a minimum, Requirement 1 (CPS1) compliance of
100%.
CPS1 is calculated by converting a compliance ratio to a compliance percentage as follows:
CPS1 =(2 - CF) * 100%
The frequency-related compliance factor, CF, is a ratio of all one-minute compliance
parameters accumulated over 12 months divided by the target frequency bound:
2
1
) (
month 12
=
CF
CF
where:
1
is defined in Requirement R1.
The rating index CF
12-month
is derived from 12 months of data. The basic unit of data comes
from one-minute averages of ACE, Frequency Error and Frequency Bias Settings.
A clock-minute average is the average of the reporting Balancing Authoritys valid measured
variable (i.e., for ACE and for Frequency Error) for each sampling cycle during a given clock-
minute.
10B - 10
minute - clock in cycles sampling
minute - clock in cycles sampling
minute - clock
|
|
.
|
\
|
= |
.
|
\
|
n
ACE
B
ACE
minute - clock in cycles sampling
minute - clock in cycles sampling
minute - clock
n
F
F
=
The Balancing Authoritys clock-minutecompliance factor (CF) becomes:
Standard BAL-001-0.1a Real Power Balancing Control Performance
Page 3 of 7
(
|
.
|
\
|
=
minute - clock
minute - clock
minute - clock
*
10
F
B
ACE
CF
Normally, sixty (60) clock-minute averages of the reporting Balancing Authoritys ACE and of
the respective Interconnections Frequency Error will be used to compute the respective hourly
average compliance parameter.
hour in samples minute - clock
minute - clock
hour - clock
n
CF
CF
=
The reporting Balancing Authority shall be able to recalculate and store each of the respective
clock-hour averages (CF clock-hour average-month) as well as the respective number of
samples for each of the twenty-four (24) hours (one for each clock-hour, i.e., hour-ending (HE)
0100, HE 0200, ..., HE 2400).
=
month in - days
hour - clock in samples minute - one
month - in - days
hour - clock in samples minute - one hour - clock
month - average hour - clock
] [
)] )( [(CF
CF
n
n
=
day in - hours
averages hour - clock in samples minute - one
day - in - hours
averages hour - clock in samples minute - one month - average hour - clock
month
] [
)] )( [(CF
CF
n
n
The 12-month compliance factor becomes:
( )
=
=
=
12
1 i
i - month) in samples minute - one (
12
1 i
i month in samples minute - one i - month
month - 12
] [
)] )( (
CF
n
n CF
In order to ensure that the average ACE and Frequency Deviation calculated for any one-
minute interval is representative of that one-minute interval, it is necessary that at least 50% of
both ACE and Frequency Deviation samples during that one-minute interval be present.
Should a sustained interruption in the recording of ACE or Frequency Deviation due to loss of
telemetering or computer unavailability result in a one-minute interval not containing at least
50% of samples of both ACE and Frequency Deviation, that one-minute interval shall be
excluded from the calculation of CPS1.
M2. Each Balancing Authority shall achieve, as a minimum, Requirement R2 (CPS2) compliance of
90%. CPS2 relates to a bound on the ten-minute average of ACE. A compliance percentage is
calculated as follows:
( )
100 *
Periods e Unavailabl Periods Total
Violations
1 2
month month
month
(
= CPS
The violations per month are a count of the number of periods that ACE clock-ten-minutes
exceeded L
10
. ACE clock-ten-minutes is the sum of valid ACE samples within a clock-ten-
minute period divided by the number of valid samples.
Standard BAL-001-0.1a Real Power Balancing Control Performance
Page 4 of 7
Violation clock-ten-minutes
=0 if
10
minutes - 10 in samples
L
n
ACE
=1 if
10
minutes - 10 in samples
L
n
ACE
>
Each Balancing Authority shall report the total number of violations and unavailable periods
for the month. L
10
is defined in Requirement R2.
Since CPS2 requires that ACE be averaged over a discrete time period, the same factors that
limit total periods per month will limit violations per month. The calculation of total periods
per month and violations per month, therefore, must be discussed jointly.
A condition may arise which may impact the normal calculation of total periods per month and
violations per month. This condition is a sustained interruption in the recording of ACE.
In order to ensure that the average ACE calculated for any ten-minute interval is representative
of that ten-minute interval, it is necessary that at least half the ACE data samples are present
for that interval. Should half or more of the ACE data be unavailable due to loss of
telemetering or computer unavailability, that ten-minute interval shall be omitted from the
calculation of CPS2.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organization.
1.2. Compliance Monitoring Period and Reset Timeframe
One calendar month.
1.3. Data Retention
The data that supports the calculation of CPS1 and CPS2 (Appendix 1-BAL-001-0) are to
be retained in electronic form for at least a one-year period. If the CPS1 and CPS2 data
for a Balancing Authority Area are undergoing a review to address a question that has
been raised regarding the data, the data are to be saved beyond the normal retention
period until the question is formally resolved. Each Balancing Authority shall retain for a
rolling 12-month period the values of: one-minute average ACE (ACE
i
), one-minute
average Frequency Error, and, if using variable bias, one-minute average Frequency Bias.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance CPS1
2.1. Level 1: The Balancing Authority Areas value of CPS1 is less than 100% but
greater than or equal to 95%.
2.2. Level 2: The Balancing Authority Areas value of CPS1 is less than 95% but
greater than or equal to 90%.
Standard BAL-001-0.1a Real Power Balancing Control Performance
Page 5 of 7
2.3. Level 3: The Balancing Authority Areas value of CPS1 is less than 90% but
greater than or equal to 85%.
2.4. Level 4: The Balancing Authority Areas value of CPS1 is less than 85%.
3. Levels of Non-Compliance CPS2
3.1. Level 1: The Balancing Authority Areas value of CPS2 is less than 90% but
greater than or equal to 85%.
3.2. Level 2: The Balancing Authority Areas value of CPS2 is less than 85% but
greater than or equal to 80%.
3.3. Level 3: The Balancing Authority Areas value of CPS2 is less than 80% but
greater than or equal to 75%.
3.4. Level 4: The Balancing Authority Areas value of CPS2 is less than 75%.
E. Regional Differences
1. The ERCOT Control Performance Standard 2 Waiver approved November 21, 2002.
F. Associated Documents
1. Appendix 2 Interpretation of Requirement R1 (October 23, 2007).
Version History
Version Date Action Change Tracking
0 February 8, 2005 BOT Approval New
0 April 1, 2005 Effective Implementation Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
0 J uly 24, 2007 Corrected R3 to reference M1 and M2
instead of R1 and R2
Errata
0a December 19, 2007 Added Appendix 2 Interpretation of R1
approved by BOT on October 23, 2007
Revised
0a J anuary 16, 2008 In Section A.2., Added a to end of standard
number
In Section F, corrected automatic numbering
from 2 to 1 and removed approved and
added parenthesis to (October 23, 2007)
Errata
0 J anuary 23, 2008 Reversed errata change from J uly 24, 2007 Errata
0.1a October 29, 2008 Board approved errata changes; updated
version number to 0.1a
Errata
0.1a May 13, 2009 Approved by FERC
Standard BAL-001-0.1a Real Power Balancing Control Performance
Page 6 of 7
Appendix 1-BAL-001-0
CPS1 and CPS2 Data
CPS1 DATA Description Retention Requirements
1
A constant derived from the targeted frequency
bound. This number is the same for each
Balancing Authority Area in the
Interconnection.
Retain the value of
1
used in CPS1 calculation.
ACE
i
The clock-minute average of ACE. Retain the 1-minute average values of ACE
(525,600 values).
B
i
The Frequency Bias of the Balancing Authority
Area.
Retain the value(s) of B
i
used in the CPS1
calculation.
F
A
The actual measured frequency. Retain the 1-minute average frequency values
(525,600 values).
F
S
Scheduled frequency for the Interconnection. Retain the 1-minute average frequency values
(525,600 values).
CPS2 DATA Description Retention Requirements
V Number of incidents per hour in which the
absolute value of ACE clock-ten-minutes is
greater than L
10
.
Retain the values of V used in CPS2
calculation.
10
A constant derived from the frequency bound.
It is the same for each Balancing Authority
Area within an Interconnection.
Retain the value of
10
used in CPS2
calculation.
B
i
The Frequency Bias of the Balancing Authority
Area.
Retain the value of B
i
used in the CPS2
calculation.
B
s
The sum of Frequency Bias of the Balancing
Authority Areas in the respective
Interconnection. For systems with variable
bias, this is equal to the sum of the minimum
Frequency Bias Setting.
Retain the value of B
s
used in the CPS2
calculation. Retain the 1-minute minimum bias
value (525,600 values).
U Number of unavailable ten-minute periods per
hour used in calculating CPS2.
Retain the number of 10-minute unavailable
periods used in calculating CPS2 for the
reporting period.
Standard BAL-001-0.1a Real Power Balancing Control Performance
Page 7 of 7
Appendix 2
Interpretation of Requirement 1
Request: Does the WECC Automatic Time Error Control Procedure (WATEC) violate
Requirement 1 of BAL-001-0?
Interpretation:
Requirement 1 of BAL-001 Real Power Balancing Control Performance, is the
definition of the area control error (ACE) equation and the limits established for Control
Performance Standard 1 (CPS1).
The WATEC procedural documents ask Balancing Authorities to maintain raw ACE for CPS
reporting and to control via WATEC-adjusted ACE.
As long as Balancing Authorities use raw (unadjusted for WATEC) ACE for CPS reporting
purposes, the use of WATEC for control is not in violation of BAL-001 Requirement 1.
BAL-001-0
R1. Each Balancing Authority shall operate such that, on a rolling 12-month basis, the average of
the clock-minute averages of the Balancing Authoritys Area Control Error (ACE) divided by 10B
(B is the clock-minute average of the Balancing Authority Areas Frequency Bias) times the
corresponding clock-minute averages of the Interconnections Frequency Error is less than a
specific limit. This limit 12 is a constant derived from a targeted frequency bound (separately
calculated for each Interconnection) that is reviewed and set as necessary by the NERC
Operating Committee.
Standard BAL-001-1 Real Power Balancing Control Performance
Page 1 of 12
A. Introduction
1. Title: Real Power Balancing Control Performance
2. Number: BAL-001-1
3. Purpose: To maintain Interconnection steady-state frequency within defined limits by
balancing real power demand and supply in real-time.
4. Applicability:
4.1. Balancing Authorities
5. Effective Date: The WECC Regional Variance to NERC Reliability Standard BAL-001-
1 is to be effective on the first day of the second quarter, after regulatory approval.
B. Requirements
R1. Each Balancing Authority shall operate such that, on a rolling 12-month basis, the average of
the clock-minute averages of the Balancing Authoritys Area Control Error (ACE) divided by
10B (B is the clock-minute average of the Balancing Authority Areas Frequency Bias) times
the corresponding clock-minute averages of the Interconnections Frequency Error is less than
a specific limit. This limit c
1
2
is a constant derived from a targeted frequency bound
(separately calculated for each Interconnection) that is reviewed and set as necessary by the
NERC Operating Committee.
The equation for ACE is:
ACE = (NI
A
NI
S
) 10B (F
A
F
S
) I
ME
where:
- NI
A
is the algebraic sum of actual flows on all tie lines.
- NI
S
is the algebraic sum of scheduled flows on all tie lines.
- B is the Frequency Bias Setting (MW/0.1 Hz) for the Balancing Authority. The
constant factor 10 converts the frequency setting to MW/Hz.
- F
A
is the actual frequency.
- F
S
is the scheduled frequency. F
S
is normally 60 Hz but may be offset to effect
manual time error corrections.
- I
ME
is the meter error correction factor typically estimated from the difference between
the integrated hourly average of the net tie line flows (NI
A
) and the hourly net
interchange demand measurement (megawatt-hour). This term should normally be
very small or zero.
R2. Each Balancing Authority shall operate such that its average ACE for at least 90% of clock-
ten-minute periods (6 non-overlapping periods per hour) during a calendar month is within a
specific limit, referred to as L
10
.
10 minute 10
) ( L ACE AVG
i
s
1
*
10
*
10
2
1
1
1 2
1 1
1
s
e
(
(
A
|
|
.
|
\
|
se
(
(
A
|
|
.
|
\
|
F
B
ACE
AVG
or F
B
ACE
AVG
i
i
Period
i
i
Period
Standard BAL-001-1 Real Power Balancing Control Performance
Page 2 of 12
where:
L
10
= ) 10 )( 10 ( 65 . 1 10 s i B B e
c
10
is a constant derived from the targeted frequency bound. It is the targeted root-mean-square
(RMS) value of ten-minute average Frequency Error based on frequency performance over a
given year. The bound, c
10
, is the same for every Balancing Authority Area within an
Interconnection, and B
s
is the sum of the Frequency Bias Settings of the Balancing Authority
Areas in the respective Interconnection. For Balancing Authority Areas with variable bias, this
is equal to the sum of the minimum Frequency Bias Settings.
R3. Each Balancing Authority providing Overlap Regulation Service shall evaluate Requirement
R1 (i.e., Control Performance Standard 1 or CPS1) and Requirement R2 (i.e., Control
Performance Standard 2 or CPS2) using the characteristics of the combined ACE and
combined Frequency Bias Settings.
R4. Any Balancing Authority receiving Overlap Regulation Service shall not have its control
performance evaluated (i.e. from a control performance perspective, the Balancing Authority
has shifted all control requirements to the Balancing Authority providing Overlap Regulation
Service).
C. Measures
M1. Each Balancing Authority shall achieve, as a minimum, Requirement 1 (CPS1) compliance of
100%.
CPS1 is calculated by converting a compliance ratio to a compliance percentage as follows:
CPS1 = (2 - CF) * 100%
The frequency-related compliance factor, CF, is a ratio of all one-minute compliance
parameters accumulated over 12 months divided by the target frequency bound:
2
1
) (
month 12
e
=
CF
CF
where: c
1
is defined in Requirement R1.
The rating index CF
12-month
is derived from 12 months of data. The basic unit of data comes
from one-minute averages of ACE, Frequency Error and Frequency Bias Settings.
A clock-minute average is the average of the reporting Balancing Authoritys valid measured
variable (i.e., for ACE and for Frequency Error) for each sampling cycle during a given clock-
minute.
10B - 10
minute - clock in cycles sampling
minute - clock in cycles sampling
minute - clock
|
|
.
|
\
|
=
|
.
|
\
|
n
ACE
B
ACE
minute - clock in cycles sampling
minute - clock in cycles sampling
minute - clock
n
F
F
A
= A
The Balancing Authoritys clock-minute compliance factor (CF) becomes:
Standard BAL-001-1 Real Power Balancing Control Performance
Page 3 of 12
(
A
|
.
|
\
|
=
minute - clock
minute - clock
minute - clock
*
10
F
B
ACE
CF
Normally, sixty (60) clock-minute averages of the reporting Balancing Authoritys ACE and of
the respective Interconnections Frequency Error will be used to compute the respective hourly
average compliance parameter.
hour in samples minute - clock
minute - clock
hour - clock
n
CF
CF
=
The reporting Balancing Authority shall be able to recalculate and store each of the respective
clock-hour averages (CF clock-hour average-month) as well as the respective number of
samples for each of the twenty-four (24) hours (one for each clock-hour, i.e., hour-ending (HE)
0100, HE 0200, ..., HE 2400).
=
month in - days
hour - clock in samples minute - one
month - in - days
hour - clock in samples minute - one hour - clock
month - average hour - clock
] [
)] )( [(CF
CF
n
n
=
day in - hours
averages hour - clock in samples minute - one
day - in - hours
averages hour - clock in samples minute - one month - average hour - clock
month
] [
)] )( [(CF
CF
n
n
The 12-month compliance factor becomes:
( )
=
=
=
12
1 i
i - month) in samples minute - one (
12
1 i
i month in samples minute - one i - month
month - 12
] [
)] )( (
CF
n
n CF
In order to ensure that the average ACE and Frequency Deviation calculated for any one-
minute interval is representative of that one-minute interval, it is necessary that at least 50% of
both ACE and Frequency Deviation samples during that one-minute interval be present.
Should a sustained interruption in the recording of ACE or Frequency Deviation due to loss of
telemetering or computer unavailability result in a one-minute interval not containing at least
50% of samples of both ACE and Frequency Deviation, that one-minute interval shall be
excluded from the calculation of CPS1.
M2. Each Balancing Authority shall achieve, as a minimum, Requirement R2 (CPS2) compliance of
90%. CPS2 relates to a bound on the ten-minute average of ACE. A compliance percentage is
calculated as follows:
( )
100 *
Periods e Unavailabl Periods Total
Violations
1 2
month month
month
(
= CPS
The violations per month are a count of the number of periods that ACE clock-ten-minutes
exceeded L
10
. ACE clock-ten-minutes is the sum of valid ACE samples within a clock-ten-
minute period divided by the number of valid samples.
Standard BAL-001-1 Real Power Balancing Control Performance
Page 4 of 12
Violation clock-ten-minutes
= 0 if
10
minutes - 10 in samples
L
n
ACE
s
= 1 if
10
minutes - 10 in samples
L
n
ACE
>
Each Balancing Authority shall report the total number of violations and unavailable periods
for the month. L
10
is defined in Requirement R2.
Since CPS2 requires that ACE be averaged over a discrete time period, the same factors that
limit total periods per month will limit violations per month. The calculation of total periods
per month and violations per month, therefore, must be discussed jointly.
A condition may arise which may impact the normal calculation of total periods per month and
violations per month. This condition is a sustained interruption in the recording of ACE.
In order to ensure that the average ACE calculated for any ten-minute interval is representative
of that ten-minute interval, it is necessary that at least half the ACE data samples are present
for that interval. Should half or more of the ACE data be unavailable due to loss of
telemetering or computer unavailability, that ten-minute interval shall be omitted from the
calculation of CPS2.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organization.
1.2. Compliance Monitoring Period and Reset Timeframe
One calendar month.
1.3. Data Retention
The data that supports the calculation of CPS1 and CPS2 (Appendix 1-BAL-001-0) are to
be retained in electronic form for at least a one-year period. If the CPS1 and CPS2 data
for a Balancing Authority Area are undergoing a review to address a question that has
been raised regarding the data, the data are to be saved beyond the normal retention
period until the question is formally resolved. Each Balancing Authority shall retain for a
rolling 12-month period the values of: one-minute average ACE (ACE
i
), one-minute
average Frequency Error, and, if using variable bias, one-minute average Frequency Bias.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance CPS1
2.1. Level 1: The Balancing Authority Areas value of CPS1 is less than 100% but
greater than or equal to 95%.
2.2. Level 2: The Balancing Authority Areas value of CPS1 is less than 95% but
greater than or equal to 90%.
Standard BAL-001-1 Real Power Balancing Control Performance
Page 5 of 12
2.3. Level 3: The Balancing Authority Areas value of CPS1 is less than 90% but
greater than or equal to 85%.
2.4. Level 4: The Balancing Authority Areas value of CPS1 is less than 85%.
3. Levels of Non-Compliance CPS2
3.1. Level 1: The Balancing Authority Areas value of CPS2 is less than 90% but
greater than or equal to 85%.
3.2. Level 2: The Balancing Authority Areas value of CPS2 is less than 85% but
greater than or equal to 80%.
3.3. Level 3: The Balancing Authority Areas value of CPS2 is less than 80% but
greater than or equal to 75%.
3.4. Level 4: The Balancing Authority Areas value of CPS2 is less than 75%.
E. Regional Differences
E.A. The ERCOT Control Performance Standard 2 Waiver approved November 21, 2002.
E.B. Regional Variance for the Western Electricity Coordinating Council
The following Interconnection-wide variance shall be applicable in the Western
Interconnection and replaces, in their entirety, Requirement R1 and Section D.2. (i.e.,
under Compliance replace Levels of Non-Compliance CPS1). Please note that the ACE
equation is replaced in its entirety with the following equation identified in Requirement
E.B.1.
Requirements and Measures
E.B.1. Each Balancing Authority shall operate such that, on a rolling 12-month basis, the
average of the clock-minute averages of the Balancing Authoritys Area Control Error
(ACE) divided by 10B (B is the clock-minute average of the Balancing Authority Areas
Frequency Bias) times the corresponding clock-minute averages of the Interconnections
Frequency Error is less than a specific limit. This limit c
1
2
is a constant derived from a
targeted frequency bound (separately calculated for each Interconnection) that is
reviewed and set as necessary by the NERC Operating Committee.
The equation for ACE in the Western Interconnection is:
( ) ( ) ATEC
ME S A S A
I I F F B NI NI ACE + = 10
where:
- NI
A
is the algebraic sum of actual flows on all tie lines.
- NI
S
is the algebraic sum of scheduled flows on all tie lines.
1
*
10
*
10
2
1
1
1 2
1 1
1
s
e
(
(
A
|
|
.
|
\
|
se
(
(
A
|
|
.
|
\
|
F
B
ACE
AVG
or F
B
ACE
AVG
i
i
Period
i
i
Period
Standard BAL-001-1 Real Power Balancing Control Performance
Page 6 of 12
- B is the Frequency Bias Setting (MW/0.1 Hz) for the Balancing Authority. The
constant factor 10 converts the frequency setting to MW/Hz.
- F
A
is the actual frequency.
- F
S
is the scheduled frequency. F
S
is normally 60 Hz but may be offset to effect
manual time error corrections.
- I
ME
is the meter error correction factor typically estimated from the difference
between the integrated hourly average of the net tie line flows (NI
A
) and the hourly
net interchange demand measurement (megawatt-hour). This term should normally
be very small or zero.
( ) H Y
IATEC
* 1
PII
peak on/off
accum
\
|
=
|
.
|
\
|
n
ACE
B
ACE
minute - clock in cycles sampling
minute - clock in cycles sampling
minute - clock
n
F
F
A
= A
The Balancing Authoritys clock-minute compliance factor (CF) becomes:
(
A
|
.
|
\
|
=
minute - clock
minute - clock
minute - clock
*
10
F
B
ACE
CF
Normally, sixty (60) clock-minute averages of the reporting Balancing Authoritys ACE
and of the respective Interconnections Frequency Error will be used to compute the
respective hourly average compliance parameter.
hour in samples minute - clock
minute - clock
hour - clock
n
CF
CF
=
The reporting Balancing Authority shall be able to recalculate and store each of the
respective clock-hour averages (CF clock-hour average-month) as well as the respective
number of samples for each of the twenty-four (24) hours (one for each clock-hour, i.e.,
hour-ending (HE) 0100, HE 0200, ..., HE 2400).
=
month in - days
hour - clock in samples minute - one
month - in - days
hour - clock in samples minute - one hour - clock
month - average hour - clock
] [
)] )( [(CF
CF
n
n
=
day in - hours
averages hour - clock in samples minute - one
day - in - hours
averages hour - clock in samples minute - one month - average hour - clock
month
] [
)] )( [(CF
CF
n
n
The 12-month compliance factor becomes:
Standard BAL-001-1 Real Power Balancing Control Performance
Page 8 of 12
( )
=
=
=
12
1 i
i - month) in samples minute - one (
12
1 i
i month in samples minute - one i - month
month - 12
] [
)] )( (
CF
n
n CF
In order to ensure that the average ACE and Frequency Deviation calculated for any one-
minute interval is representative of that one-minute interval, it is necessary that at least
50% of both ACE and Frequency Deviation samples during that one-minute interval be
present. Should a sustained interruption in the recording of ACE or Frequency Deviation
due to loss of telemetering or computer unavailability result in a one-minute interval not
containing at least 50% of samples of both ACE and Frequency Deviation, that one-
minute interval shall be excluded from the calculation of CPS1.
E.B.2. Each Balancing Authority shall limit the absolute value of I
ATEC
, the Automatic Time
Error Correction term as follows: [Violation Risk Factor: Medium] [Time Horizon: Real-
time Operations]
I
ATEC
L
max
.
M.E.B.2. Forms of acceptable evidence for Requirement E.B.2 may include, but are not limited to:
- Dated Energy Management System (EMS) displays,
- WECC Interchange Tool, EMS application code, or
- Other archived data that demonstrates compliance.
E.B.3. Each Balancing Authority shall set L
max
within the limits as follows:
0.20 * |B| L
max
L
10
.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
M.E.B.3. Forms of acceptable evidence for Requirement E.B.3 may include, but is not limited to:
- Dated Energy Management System (EMS) displays,
- WECC Interchange Tool, EMS application code, or
- Other archived data that demonstrates compliance.
E.B Compliance
1. Evidence Retention
The following evidence retention periods identify the period of time an entity is required
to retain specific evidence to demonstrate compliance. For instances where the evidence
retention period specified below is shorter than the time since the last audit, the
Compliance Enforcement Authority may ask an entity to provide other evidence to show
that it was compliant for the full time period since the last audit.
Each Balancing Authority in the Western Interconnection shall retain the values of I
ATEC
and L
max
for the preceding calendar year (January December), as well as the current
calendar year.
Standard BAL-001-1 Real Power Balancing Control Performance
Page 9 of 12
Table of Compliance Elements
E # Time Horizon VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
E.B.1 Real-time
Operations
Medium The Balancing Authority
Areas value of CPS1
was less than 100% but
greater than or equal to
95%.
The Balancing Authority
Areas value of CPS1
was less than 95% but
greater than or equal to
90%.
The Balancing Authority
Areas value of CPS1
was less than 90% but
greater than or equal to
85%.
The Balancing Authority
Areas value of CPS1
was less than 85%.
E.B.2
Real-time
Operations
Medium N/A N/A N/A The Balancing Authority
Areas absolute value for
I
ATEC
was greater than
L
max
.
E.B.3 Operations
Planning
Medium N/A N/A N/A The Balancing Authority
did not set L
max
to within
the limits in E.B.3 (i.e.,
0.20 * |B| s L
max
s L
10
).
Standard BAL-001-1 Real Power Balancing Control Performance
Page 10 of 12
F. Associated Documents
Version History
Version Date Action Change Tracking
0 February 8, 2005 BOT Approval New
0 April 1, 2005 Effective Implementation Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
0 July 24, 2007 Corrected R3 to reference M1 and M2
instead of R1 and R2
Errata
0a December 19, 2007 Added Appendix 2 Interpretation of R1
approved by BOT on October 23, 2007
Revised
0a January 16, 2008 In Section A.2., Added a to end of standard
number
In Section F, corrected automatic numbering
from 2 to 1 and removed approved and
added parenthesis to (October 23, 2007)
Errata
0 January 23, 2008 Reversed errata change from July 24, 2007 Errata
0.1a October 29, 2008 Board approved errata changes; updated
version number to 0.1a
Errata
0.1a May 13, 2009 Approved by FERC
1 December 19, 2012 Adopted by NERC Board of Trustees
Standard BAL-001-1 Real Power Balancing Control Performance
Page 11 of 12
Appendix 1-BAL-001-1
CPS1 and CPS2 Data
CPS1 DATA Description Retention Requirements
c
1
A constant derived from the targeted frequency
bound. This number is the same for each
Balancing Authority Area in the
Interconnection.
Retain the value of c
1
used in CPS1 calculation.
ACE
i
The clock-minute average of ACE. Retain the 1-minute average values of ACE
(525,600 values).
B
i
The Frequency Bias of the Balancing Authority
Area.
Retain the value(s) of B
i
used in the CPS1
calculation.
F
A
The actual measured frequency. Retain the 1-minute average frequency values
(525,600 values).
F
S
Scheduled frequency for the Interconnection. Retain the 1-minute average frequency values
(525,600 values).
CPS2 DATA Description Retention Requirements
V Number of incidents per hour in which the
absolute value of ACE clock-ten-minutes is
greater than L
10
.
Retain the values of V used in CPS2
calculation.
c
10
A constant derived from the frequency bound.
It is the same for each Balancing Authority
Area within an Interconnection.
Retain the value of c
10
used in CPS2
calculation.
B
i
The Frequency Bias of the Balancing Authority
Area.
Retain the value of B
i
used in the CPS2
calculation.
B
s
The sum of Frequency Bias of the Balancing
Authority Areas in the respective
Interconnection. For systems with variable
bias, this is equal to the sum of the minimum
Frequency Bias Setting.
Retain the value of B
s
used in the CPS2
calculation. Retain the 1-minute minimum bias
value (525,600 values).
U Number of unavailable ten-minute periods per
hour used in calculating CPS2.
Retain the number of 10-minute unavailable
periods used in calculating CPS2 for the
reporting period.
Standard BAL-001-1 Real Power Balancing Control Performance
Page 12 of 12
Guidance and Rationale
Rationale for E.B.1
Premise: When a Balancing Authority Area uses the ACE equation with an ATEC correction
component for both control and assessing performance, it provides a more accurate
measurement of the Control Performance methodology while at the same time achieving the
same reliability objective as the existing BAL-001-0.1a standard.
Justification: Adding the I
ATEC
term to the ACE equation reduces the number of manual time
error corrections and PII
accum
.
Goal: To establish an ACE equation that permits the implementation of Automatic Time Error
Correction.
Rationale for E.B.2
Premise: I
ATEC
greater than
L
max
may result in a risk to reliability caused by large ATEC
payback.
Justification: Balancing Authorities should not control their Balancing Authority Areas using an
approach that puts system reliability at risk.
Goal: The goal of Requirement E.B.2 is to limit I
ATEC
to L
max
in order to reduce potential
reliability risks to the interconnection caused by a large ATEC payback term.
Rationale for E.B.3
Premise: Operating within an L
max
less than 0.20 * |B| may not provide sufficient correction for
PII and operating with an L
max
greater than L
10
may result in potential reliability risks caused by
a large ATEC payback term.
Justification: L
max
should be limited to prevent Balancing Authorities from creating potential
reliability risks caused by a large ATEC payback term.
Goal: The goal of Requirement E.B.3 is to develop a range for L
max
where Balancing Authorities
reduce potential reliability risks by limiting I
ATEC
to L
max
.
Standard BAL-002-1 Disturbance Control Performance
Adopted by Board of Trustees: August 5, 2010 1
A. Introduction
1. Title: Disturbance Control Performance
2. Number: BAL-002-1
3. Purpose: The purpose of the Disturbance Control Standard (DCS) is to ensure the
Balancing Authority is able to utilize its Contingency Reserve to balance resources and
demand and return Interconnection frequency within defined limits following a Reportable
Disturbance. Because generator failures are far more common than significant losses of load
and because Contingency Reserve activation does not typically apply to the loss of load, the
application of DCS is limited to the loss of supply and does not apply to the loss of load.
4. Applicability:
4.1. Balancing Authorities
4.2. Reserve Sharing Groups (Balancing Authorities may meet the requirements of
Standard 002 through participation in a Reserve Sharing Group.)
4.3. Regional Reliability Organizations
5. (Proposed) Effective Date: The first day of the first calendar quarter, one year after
applicable regulatory approval; or in those jurisdictions where no regulatory approval is
required, the first day of the first calendar quarter one year after Board of Trustees adoption.
B. Requirements
R1. Each Balancing Authority shall have access to and/or operate Contingency Reserve to respond
to Disturbances. Contingency Reserve may be supplied from generation, controllable load
resources, or coordinated adjustments to Interchange Schedules.
R1.1. A Balancing Authority may elect to fulfill its Contingency Reserve obligations by
participating as a member of a Reserve Sharing Group. In such cases, the Reserve
Sharing Group shall have the same responsibilities and obligations as each Balancing
Authority with respect to monitoring and meeting the requirements of Standard BAL-
002.
R2. Each Regional Reliability Organization, sub-Regional Reliability Organization or Reserve
Sharing Group shall specify its Contingency Reserve policies, including:
R2.1. The minimum reserve requirement for the group.
R2.2. Its allocation among members.
R2.3. The permissible mix of Operating Reserve Spinning and Operating Reserve
Supplemental that may be included in Contingency Reserve.
R2.4. The procedure for applying Contingency Reserve in practice.
R2.5. The limitations, if any, upon the amount of interruptible load that may be included.
R2.6. The same portion of resource capacity (e.g. reserves from jointly owned generation)
shall not be counted more than once as Contingency Reserve by multiple Balancing
Authorities.
R3. Each Balancing Authority or Reserve Sharing Group shall activate sufficient Contingency
Reserve to comply with the DCS.
R3.1. As a minimum, the Balancing Authority or Reserve Sharing Group shall carry at least
enough Contingency Reserve to cover the most severe single contingency. All
Balancing Authorities and Reserve Sharing Groups shall review, no less frequently
Standard BAL-002-1 Disturbance Control Performance
Adopted by Board of Trustees: August 5, 2010 2
than annually, their probable contingencies to determine their prospective most severe
single contingencies.
R4. A Balancing Authority or Reserve Sharing Group shall meet the Disturbance Recovery
Criterion within the Disturbance Recovery Period for 100% of Reportable Disturbances. The
Disturbance Recovery Criterion is:
R4.1. A Balancing Authority shall return its ACE to zero if its ACE just prior to the
Reportable Disturbance was positive or equal to zero. For negative initial ACE values
just prior to the Disturbance, the Balancing Authority shall return ACE to its pre-
Disturbance value.
R4.2. The default Disturbance Recovery Period is 15 minutes after the start of a Reportable
Disturbance.
R5. Each Reserve Sharing Group shall comply with the DCS. A Reserve Sharing Group shall be
considered in a Reportable Disturbance condition whenever a group member has experienced
a Reportable Disturbance and calls for the activation of Contingency Reserves from one or
more other group members. (If a group member has experienced a Reportable Disturbance
but does not call for reserve activation from other members of the Reserve Sharing Group,
then that member shall report as a single Balancing Authority.) Compliance may be
demonstrated by either of the following two methods:
R5.1. The Reserve Sharing Group reviews group ACE (or equivalent) and demonstrates
compliance to the DCS. To be in compliance, the group ACE (or its equivalent) must
meet the Disturbance Recovery Criterion after the schedule change(s) related to reserve
sharing have been fully implemented, and within the Disturbance Recovery Period.
or
R5.2. The Reserve Sharing Group reviews each members ACE in response to the activation
of reserves. To be in compliance, a members ACE (or its equivalent) must meet the
Disturbance Recovery Criterion after the schedule change(s) related to reserve sharing
have been fully implemented, and within the Disturbance Recovery Period.
R6. A Balancing Authority or Reserve Sharing Group shall fully restore its Contingency Reserves
within the Contingency Reserve Restoration Period for its Interconnection.
R6.1. The Contingency Reserve Restoration Period begins at the end of the Disturbance
Recovery Period.
R6.2. The default Contingency Reserve Restoration Period is 90 minutes.
C. Measures
M1. A Balancing Authority or Reserve Sharing Group shall calculate and report compliance with
the Disturbance Control Standard for all Disturbances greater than or equal to 80% of the
magnitude of the Balancing Authoritys or of the Reserve Sharing Groups most severe single
contingency loss. Regions may, at their discretion, require a lower reporting threshold.
Disturbance Control Standard is measured as the percentage recovery (R
i
).
For loss of generation:
if ACE
A
< 0
then
Standard BAL-002-1 Disturbance Control Performance
Adopted by Board of Trustees: August 5, 2010 3
0 -10 -20 -30
0
ACE
-80
-40
% 100 *
) , 0 max(
Loss
M A Loss
i
MW
ACE ACE MW
R
=
if ACE
A
> 0
then
% 100 *
) , 0 max(
Loss
M Loss
i
MW
ACE MW
R
=
where:
MW
LOSS
is the MW size of the Disturbance as
measured at the beginning of the loss,
ACE
A
is the pre-disturbance ACE,
ACE
M
is the maximum algebraic value of ACE measured within the fifteen minutes
following the Disturbance. A Balancing Authority or Reserve Sharing Group may, at
its discretion, set ACE
M
= ACE
15
min
, and
The Balancing Authority or Reserve Sharing Group shall record the MW
LOSS
value as
measured at the site of the loss to the extent possible. The value should not be measured as a
change in ACE since governor response and AGC response may introduce error.
The Balancing Authority or Reserve Sharing Group shall base the value for ACE
A
on the
average ACE over the period just prior to the start of the Disturbance (10 and 60 seconds prior
and including at least 4 scans of ACE). In the illustration below, the horizontal line represents
an averaging of ACE for 15 seconds prior to the start of the Disturbance with a result of ACE
A
= - 25 MW.
The average percent recovery is the arithmetic average of all the calculated R
i
s for Reportable
Disturbances during a given quarter. Average percent recovery is similarly calculated for
excludable Disturbances.
D. Compliance
1. Compliance Monitoring Process
Standard BAL-002-1 Disturbance Control Performance
Adopted by Board of Trustees: August 5, 2010 4
Compliance with the DCS shall be measured on a percentage basis as set forth in the measures
above.
Each Balancing Authority or Reserve Sharing Group shall submit one completed copy of DCS
Form, NERC Control Performance Standard Survey All Interconnections to its Resources
Subcommittee Survey Contact no later than the 10th day following the end of the calendar
quarter (i.e. April 10th, July 10th, October 10th, January 10th). The Regional Entity must
submit a summary document reporting compliance with DCS to NERC no later than the 20
th
day of the month following the end of the quarter.
1.1. Compliance Enforcement Authority
Regional Entity.
1.2. Compliance Monitoring Period and Reset Timeframe
Compliance for DCS will be evaluated for each reporting period. Reset is one calendar
quarter without a violation.
1.3. Compliance Monitoring and Enforcement Processes:
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
The data that support the calculation of DCS are to be retained in electronic form for at
least a one-year period. If the DCS data for a Reserve Sharing Group and Balancing
Area are undergoing a review to address a question that has been raised regarding the
data, the data are to be saved beyond the normal retention period until the question is
formally resolved.
1.5. Additional Compliance Information
Reportable Disturbances Reportable Disturbances are contingencies that are greater
than or equal to 80% of the most severe single Contingency. A Regional Reliability
Organization, sub-Regional Reliability Organization or Reserve Sharing Group may
optionally reduce the 80% threshold, provided that normal operating characteristics are
not being considered or misrepresented as contingencies. Normal operating
characteristics are excluded because DCS only measures the recovery from sudden,
unanticipated losses of supply-side resources.
Simultaneous Contingencies Multiple Contingencies occurring within one minute
or less of each other shall be treated as a single Contingency. If the combined
magnitude of the multiple Contingencies exceeds the most severe single Contingency,
the loss shall be reported, but excluded from compliance evaluation.
Multiple Contingencies within the Reportable Disturbance Period Additional
Contingencies that occur after one minute of the start of a Reportable Disturbance but
before the end of the Disturbance Recovery Period can be excluded from evaluation.
The Balancing Authority or Reserve Sharing Group shall determine the DCS
compliance of the initial Reportable Disturbance by performing a reasonable
Standard BAL-002-1 Disturbance Control Performance
Adopted by Board of Trustees: August 5, 2010 5
estimation of the response that would have occurred had the second and subsequent
contingencies not occurred.
Multiple Contingencies within the Contingency Reserve Restoration Period
Additional Reportable Disturbances that occur after the end of the Disturbance
Recovery Period but before the end of the Contingency Reserve Restoration Period
shall be reported and included in the compliance evaluation. However, the Balancing
Authority or Reserve Sharing Group can request a waiver from the Resources
Subcommittee for the event if the contingency reserves were rendered inadequate by
prior contingencies and a good faith effort to replace contingency reserve can be
shown.
2. Levels of Non-Compliance
Each Balancing Authority or Reserve Sharing Group not meeting the DCS during a given
calendar quarter shall increase its Contingency Reserve obligation for the calendar quarter
(offset by one month) following the evaluation by the NERC or Compliance Monitor [e.g. for
the first calendar quarter of the year, the penalty is applied for May, June, and July.] The
increase shall be directly proportional to the non-compliance with the DCS in the preceding
quarter. This adjustment is not compounded across quarters, and is an additional percentage
of reserve needed beyond the most severe single Contingency. A Reserve Sharing Group may
choose an allocation method for increasing its Contingency Reserve for the Reserve Sharing
Group provided that this increase is fully allocated.
A representative from each Balancing Authority or Reserve Sharing Group that was non-
compliant in the calendar quarter most recently completed shall provide written
documentation verifying that the Balancing Authority or Reserve Sharing Group will apply
the appropriate DCS performance adjustment beginning the first day of the succeeding month,
and will continue to apply it for three months. The written documentation shall accompany
the quarterly Disturbance Control Standard Report when a Balancing Authority or Reserve
Sharing Group is non-compliant.
3. Violation Severity Levels (no changes)
E. Regional Differences
None identified.
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
0 February 14,
2006
Revised graph on page 3, 10 min. to
Recovery time. Removed fourth bullet.
Errata
1 TBD Modified to address Order No. 693
Directives contained in paragraph 321.
Revised.
Standard BAL-002-1a Disturbance Control Performance
1
A. Introduction
1. Title: Disturbance Control Performance
2. Number: BAL-002-1a
3. Purpose: The purpose of the Disturbance Control Standard (DCS) is to ensure the
Balancing Authority is able to utilize its Contingency Reserve to balance resources and
demand and return Interconnection frequency within defined limits following a Reportable
Disturbance. Because generator failures are far more common than significant losses of load
and because Contingency Reserve activation does not typically apply to the loss of load, the
application of DCS is limited to the loss of supply and does not apply to the loss of load.
4. Applicability:
4.1. Balancing Authorities
4.2. Reserve Sharing Groups (Balancing Authorities may meet the requirements of
Standard 002 through participation in a Reserve Sharing Group.)
4.3. Regional Reliability Organizations
5. (Proposed) Effective Date: The first day of the first calendar quarter, one year after
applicable regulatory approval; or in those jurisdictions where no regulatory approval is
required, the first day of the first calendar quarter one year after Board of Trustees adoption.
B. Requirements
R1. Each Balancing Authority shall have access to and/or operate Contingency Reserve to respond
to Disturbances. Contingency Reserve may be supplied from generation, controllable load
resources, or coordinated adjustments to Interchange Schedules.
R1.1. A Balancing Authority may elect to fulfill its Contingency Reserve obligations by
participating as a member of a Reserve Sharing Group. In such cases, the Reserve
Sharing Group shall have the same responsibilities and obligations as each Balancing
Authority with respect to monitoring and meeting the requirements of Standard BAL-
002.
R2. Each Regional Reliability Organization, sub-Regional Reliability Organization or Reserve
Sharing Group shall specify its Contingency Reserve policies, including:
R2.1. The minimum reserve requirement for the group.
R2.2. Its allocation among members.
R2.3. The permissible mix of Operating Reserve Spinning and Operating Reserve
Supplemental that may be included in Contingency Reserve.
R2.4. The procedure for applying Contingency Reserve in practice.
R2.5. The limitations, if any, upon the amount of interruptible load that may be included.
R2.6. The same portion of resource capacity (e.g. reserves from jointly owned generation)
shall not be counted more than once as Contingency Reserve by multiple Balancing
Authorities.
R3. Each Balancing Authority or Reserve Sharing Group shall activate sufficient Contingency
Reserve to comply with the DCS.
R3.1. As a minimum, the Balancing Authority or Reserve Sharing Group shall carry at least
enough Contingency Reserve to cover the most severe single contingency. All
Balancing Authorities and Reserve Sharing Groups shall review, no less frequently
Standard BAL-002-1a Disturbance Control Performance
2
than annually, their probable contingencies to determine their prospective most severe
single contingencies.
R4. A Balancing Authority or Reserve Sharing Group shall meet the Disturbance Recovery
Criterion within the Disturbance Recovery Period for 100% of Reportable Disturbances. The
Disturbance Recovery Criterion is:
R4.1. A Balancing Authority shall return its ACE to zero if its ACE just prior to the
Reportable Disturbance was positive or equal to zero. For negative initial ACE values
just prior to the Disturbance, the Balancing Authority shall return ACE to its pre-
Disturbance value.
R4.2. The default Disturbance Recovery Period is 15 minutes after the start of a Reportable
Disturbance.
R5. Each Reserve Sharing Group shall comply with the DCS. A Reserve Sharing Group shall be
considered in a Reportable Disturbance condition whenever a group member has experienced
a Reportable Disturbance and calls for the activation of Contingency Reserves from one or
more other group members. (If a group member has experienced a Reportable Disturbance
but does not call for reserve activation from other members of the Reserve Sharing Group,
then that member shall report as a single Balancing Authority.) Compliance may be
demonstrated by either of the following two methods:
R5.1. The Reserve Sharing Group reviews group ACE (or equivalent) and demonstrates
compliance to the DCS. To be in compliance, the group ACE (or its equivalent) must
meet the Disturbance Recovery Criterion after the schedule change(s) related to reserve
sharing have been fully implemented, and within the Disturbance Recovery Period.
or
R5.2. The Reserve Sharing Group reviews each members ACE in response to the activation
of reserves. To be in compliance, a members ACE (or its equivalent) must meet the
Disturbance Recovery Criterion after the schedule change(s) related to reserve sharing
have been fully implemented, and within the Disturbance Recovery Period.
R6. A Balancing Authority or Reserve Sharing Group shall fully restore its Contingency Reserves
within the Contingency Reserve Restoration Period for its Interconnection.
R6.1. The Contingency Reserve Restoration Period begins at the end of the Disturbance
Recovery Period.
R6.2. The default Contingency Reserve Restoration Period is 90 minutes.
C. Measures
M1. A Balancing Authority or Reserve Sharing Group shall calculate and report compliance with
the Disturbance Control Standard for all Disturbances greater than or equal to 80% of the
magnitude of the Balancing Authoritys or of the Reserve Sharing Groups most severe single
contingency loss. Regions may, at their discretion, require a lower reporting threshold.
Disturbance Control Standard is measured as the percentage recovery (R
i
).
For loss of generation:
if ACE
A
<0
then
Standard BAL-002-1a Disturbance Control Performance
3
0 -10 -20 -30
0
ACE
-80
-40
% 100 *
) , 0 max(
Loss
M A Loss
i
MW
ACE ACE MW
R
if ACE
A
>0
then
% 100 *
) , 0 max(
Loss
M Loss
i
MW
ACE MW
R
where:
MW
LOSS
is the MW size of the Disturbance as
measured at the beginning of the loss,
ACE
A
is the pre-disturbance ACE,
ACE
M
is the maximum algebraic value of ACE measured within the fifteen minutes
following the Disturbance. A Balancing Authority or Reserve Sharing Group may, at
its discretion, set ACE
M
=ACE
15
min
, and
The Balancing Authority or Reserve Sharing Group shall record the MW
LOSS
value as
measured at the site of the loss to the extent possible. The value should not be measured as a
change in ACE since governor response and AGC response may introduce error.
The Balancing Authority or Reserve Sharing Group shall base the value for ACE
A
on the
average ACE over the period just prior to the start of the Disturbance (10 and 60 seconds prior
and including at least 4 scans of ACE). In the illustration below, the horizontal line represents
an averaging of ACE for 15 seconds prior to the start of the Disturbance with a result of ACE
A
=- 25 MW.
The average percent recovery is the arithmetic average of all the calculated R
i
s for Reportable
Disturbances during a given quarter. Average percent recovery is similarly calculated for
excludable Disturbances.
D. Compliance
1. Compliance Monitoring Process
Standard BAL-002-1a Disturbance Control Performance
4
Compliance with the DCS shall be measured on a percentage basis as set forth in the measures
above.
Each Balancing Authority or Reserve Sharing Group shall submit one completed copy of DCS
Form, NERC Control Performance Standard Survey All Interconnections to its Resources
Subcommittee Survey Contact no later than the 10th day following the end of the calendar
quarter (i.e. April 10th, J uly 10th, October 10th, J anuary 10th). The Regional Entity must
submit a summary document reporting compliance with DCS to NERC no later than the 20
th
day of the month following the end of the quarter.
1.1. Compliance Enforcement Authority
Regional Entity.
1.2. Compliance Monitoring Period and Reset Timeframe
Compliance for DCS will be evaluated for each reporting period. Reset is one calendar
quarter without a violation.
1.3. Compliance Monitoring and Enforcement Processes:
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
The data that support the calculation of DCS are to be retained in electronic form for at
least a one-year period. If the DCS data for a Reserve Sharing Group and Balancing
Area are undergoing a review to address a question that has been raised regarding the
data, the data are to be saved beyond the normal retention period until the question is
formally resolved.
1.5. Additional Compliance Information
Reportable Disturbances Reportable Disturbances are contingencies that are greater
than or equal to 80% of the most severe single Contingency. A Regional Reliability
Organization, sub-Regional Reliability Organization or Reserve Sharing Group may
optionally reduce the 80% threshold, provided that normal operating characteristics are
not being considered or misrepresented as contingencies. Normal operating
characteristics are excluded because DCS only measures the recovery from sudden,
unanticipated losses of supply-side resources.
Simultaneous Contingencies Multiple Contingencies occurring within one minute
or less of each other shall be treated as a single Contingency. If the combined
magnitude of the multiple Contingencies exceeds the most severe single Contingency,
the loss shall be reported, but excluded from compliance evaluation.
Multiple Contingencies within the Reportable Disturbance Period Additional
Contingencies that occur after one minute of the start of a Reportable Disturbance but
before the end of the Disturbance Recovery Period can be excluded from evaluation.
The Balancing Authority or Reserve Sharing Group shall determine the DCS
compliance of the initial Reportable Disturbance by performing a reasonable
Standard BAL-002-1a Disturbance Control Performance
5
estimation of the response that would have occurred had the second and subsequent
contingencies not occurred.
Multiple Contingencies within the Contingency Reserve Restoration Period
Additional Reportable Disturbances that occur after the end of the Disturbance
Recovery Period but before the end of the Contingency Reserve Restoration Period
shall be reported and included in the compliance evaluation. However, the Balancing
Authority or Reserve Sharing Group can request a waiver from the Resources
Subcommittee for the event if the contingency reserves were rendered inadequate by
prior contingencies and a good faith effort to replace contingency reserve can be
shown.
2. Levels of Non-Compliance
Each Balancing Authority or Reserve Sharing Group not meeting the DCS during a given
calendar quarter shall increase its Contingency Reserve obligation for the calendar quarter
(offset by one month) following the evaluation by the NERC or Compliance Monitor [e.g. for
the first calendar quarter of the year, the penalty is applied for May, J une, and J uly.] The
increase shall be directly proportional to the non-compliance with the DCS in the preceding
quarter. This adjustment is not compounded across quarters, and is an additional percentage
of reserve needed beyond the most severe single Contingency. A Reserve Sharing Group may
choose an allocation method for increasing its Contingency Reserve for the Reserve Sharing
Group provided that this increase is fully allocated.
A representative from each Balancing Authority or Reserve Sharing Group that was non-
compliant in the calendar quarter most recently completed shall provide written
documentation verifying that the Balancing Authority or Reserve Sharing Group will apply
the appropriate DCS performance adjustment beginning the first day of the succeeding month,
and will continue to apply it for three months. The written documentation shall accompany
the quarterly Disturbance Control Standard Report when a Balancing Authority or Reserve
Sharing Group is non-compliant.
3. Violation Severity Levels (no changes)
E. Regional Differences
None identified.
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
0 February 14,
2006
Revised graph on page 3, 10 min. to
Recovery time. Removed fourth bullet.
Errata
1 August 5, 2010 Adopted by the NERC Board of Trustees Modified to address
Order No. 693 Directives
contained in paragraph
321.
1a November 7,
2012
Interpretation Adopted by the NERC Board
of Trustees
Standard BAL-002-1a Disturbance Control Performance
6
Appendix 1
Request for an Interpretation of a Reliability Standard
Date submitted: September 2, 2009
Date accepted: September 2, 2009
Contact information for person requesting the interpretation:
Name: Northwest Power Pool Reserve Sharing Group, in care of Jerry Rust, Agent
Organization: Northwest Power Pool Reserve Sharing Group
Telephone: 503-445-1074
E-mail: jerry.rust@nwpp.org
Identify the standard that needs clarification:
Standard Number (include version number): BAL-002-0
Standard Title: Disturbance Control Performance
Identify specifically what requirement needs clarification:
Requirement Number and Text of Requirement:
B. Requirements
***
R4. A Balancing Authority or Reserve Sharing Group shall meet the Disturbance Recovery
Criterion within the Disturbance Recovery Period for 100% of Reportable Disturbances. The
Disturbance Recovery Criterion is:
R4.1. A Balancing Authority shall return its ACE to zero if its ACE just prior to the
Reportable Disturbance was positive or equal to zero. For negative initial ACE values just
prior to the Disturbance, the Balancing Authority shall return ACE to its pre-Disturbance
value.
R4.2. The default Disturbance Recovery Period is 15 minutes after the start of a
Reportable Disturbance. This period may be adjusted to better suit the needs of an
Interconnection based on analysis approved by the NERC Operating Committee.
***
R5. Each Reserve Sharing Group shall comply with the DCS. A Reserve Sharing Group shall
be considered in a Reportable Disturbance condition whenever a group member has
experienced a Reportable Disturbance and calls for the activation of Contingency Reserves
from one or more other group members. *** Compliance may be demonstrated by either
of the following two methods:
R.5.1 The Reserve Sharing Group reviews group ACE (or equivalent) and
demonstrates compliance to the DCS. To be in compliance, the group ACE (or its equivalent)
must meet the Disturbance Recovery Criterion after the schedule change(s) related to
Standard BAL-002-1a Disturbance Control Performance
7
reserve sharing have been fully implemented, and within the Disturbance Recovery Period.
or
R.5.2. The Reserve Sharing Group reviews each members ACE in response to the
activation of reserves. To be in compliance, a members ACE (or its equivalent) must meet
the Disturbance Recovery Criterion after the schedule change(s) related to reserve sharing
have been fully implemented, and within the Disturbance Recovery Period.
***
D. Compliance
***
1.4 Additional Compliance Information
***
Simultaneous Contingencies Multiple Contingencies occurring within one
minute or less of each other shall be treated as a single Contingency. If the
combined magnitude of the multiple Contingencies exceeds the most severe
single Contingency, the loss shall be reported, but excluded from compliance
evaluation.
Multiple Contingencies within the Reportable Disturbance Period
Additional Contingencies that occur after one minute of the start of a Reportable
Disturbance but before the end of the Disturbance Recovery Period can be
excluded from evaluation. The Balancing Authority or Reserve Sharing Group
shall determine the DCS compliance of the initial Reportable Disturbance by
performing a reasonable estimation of the response that would have occurred
had the second and subsequent contingencies not occurred.
Clarification needed:
The Northwest Power Pool Reserve Sharing Group respectfully requests clarification as to
whether:
(1) although a Disturbance
1
that exceeds the most severe single Contingency must be
reported by the Balancing Authority or Reserve Sharing Group (as applicable), the
Disturbance is excluded from compliance evaluation for the applicable Balancing
Authority or Reserve Sharing Group;
(2) with respect to either simultaneous Contingencies or non-simultaneous multiple
Contingencies affecting a Reserve Sharing Group, the exclusion from compliance
evaluation for Disturbances exceeding the most severe single Contingency applies
both when (a) all Contingencies occur within a single Balancing Authority member of
the Reserve Sharing Group and (b) different Balancing Authorities within the Reserve
Sharing Group experience separate Contingencies that occur simultaneously, or non-
simultaneously but before the end of the Disturbance Recovery Period following the
first Reportable Disturbance; and
(3) the meaning of the phrase excluded from compliance evaluation as used in
Section 1.4 (Additional Compliance Information) of Part D of BAL-002-0 and for
purposes of the preceding statements is that, with respect to Disturbances that
exceed the most severe single Contingency for a Balancing Authority or Reserve
1
Irrespective of cause, including a single event, simultaneous Contingencies, or non-simultaneous multiple
Contingencies.
Standard BAL-002-1a Disturbance Control Performance
8
Sharing Group (as applicable), a violation of BAL-002-0 does not occur even if ACE is
not recovered within the Disturbance Recovery Period (15 minutes unless adjusted
pursuant to BAL-002-0, R4.2).
Identify the material impact associated with this interpretation:
Clarification is needed to avoid applications of BAL-002-0 that would render the reserve
requirement specified in R3.1 of BAL-002-0 (which calls for enough Contingency Reserve to
cover the most severe single Contingency) meaningless. The intent of BAL-002-0 is that
all Contingencies greater than or equal to 80% of the most severe single Contingency
constitute Reportable Disturbances. See Section 1.4 of Part D of BAL-002-0 (where the
Additional Compliance Information includes a definition of Reportable Disturbance).
If a Balancing Authority were to experience a Contingency below the Reportable Disturbance
level, it would be expected to recover ACE within 15 minutes, even though the literal words
of R4 of BAL-002-0 do not say this. Conversely, if a Balancing Authority were to experience
a Disturbance five times greater than its most severe single Contingency, it would be
required to report this Disturbance, but would not be required to recover ACE within 15
minutes following a Disturbance of this magnitude.
Any other interpretation would result in treating BAL-002-0 as if it required Balancing
Authorities and Reserve Sharing Groups to recover ACE (to zero or pre-Disturbance levels,
as applicable) within the 15-minute Disturbance Recovery Period without regard to
Disturbance magnitude. This is inconsistent with (a) the reserve requirement specified in
R3.1 of BAL-002-0, (b) the text of Section 1.4 of Part D of BAL-002-0, and (c) the
documented history of the development of BAL-002-0 (see, e.g., Performance Standards
Document, Version 3 (as accepted by NERC Resources Subcommittee on October 23, 2007),
which provides in Section D, Disturbance Control Standard, DCS, that An excludable
disturbance is a disturbance whose magnitude was greater than the magnitude of the most
severe single contingency.)
Furthermore, lack of clarity on the interpretation of this standard potentially has significant
financial and operational impacts on all Balancing Authorities and Reserve Sharing Groups.
If the standard is interpreted to require that ACE be returned to zero even for a Disturbance
that exceeds the most severe single Contingency, a Balancing Authority could be required to
take drastic operational actions, even when other measures of system reliability (voltage
stability, normal frequency, operation within system operating limits, etc.) indicate
otherwise.
Response:
The Balancing Authority Controls Standard Drafting Team was originally assigned to provide
a response to the interpretation request. The original interpretation failed to achieve a two-
thirds approval from the industry. NERC appointed a new IDT to develop this interpretation.
On July 24, 2012, the team provided the following response to the questions raised:
Question 1: Although a Disturbance
2
that exceeds the most severe single
Contingency must be reported by the Balancing Authority or Reserve
Sharing Group (as applicable), is the Disturbance excluded from
2
Irrespective of cause, including a single event, simultaneous Contingencies, or non-simultaneous multiple
Contingencies.
Standard BAL-002-1a Disturbance Control Performance
9
compliance evaluation for the applicable Balancing Authority or
Reserve Sharing Group?
Response: The IDT agrees that the Disturbance would be excluded from
compliance. The BAL-002 Additional Compliance Information section clearly
states:
Simultaneous Contingencies Multiple contingencies occurring within one
minute or less of each other shall be treated as a single Contingency. If the
combined magnitude of the multiple Contingencies exceeds the most severe
single Contingency, the loss shall be reported, but excluded from compliance
evaluation.
For clarity the IDT would like to explain the Teams basis concerning some of the
terminology used.
Most Severe Single Contingency (MSSC) this can be the loss of the BAs
or RSGs single largest operating generator, or it can be a known common
mode failure that causes more than one generator to fail when the contingency
occurs; or it can be a firm transaction. Although Requirement R3.1 mandates
an annual review that does not mean an annual value. Note that Requirement
R3.1 determines a prospective MSSC. MSSC is a variable that the BA knows
and operates to in real time. The largest operating generator is known and
monitored by a BA. The largest known common mode failure is predefined for
the BA; the largest single firm transaction is approved by the BA. Thus the BA
knows its MSSC which can vary from hour to hour and minute to minute.
To be clear a BA is responsible for the MSSC at all times (the MSSC value at
any given time may be more or less than the annually identified prospective
MSSC).
An undefined common mode failure can occur but it is exempted from R4s
requirement to meet the BAs or RSGs disturbance recovery criteria within the
Disturbance Recovery Period. An undefined common mode failure (i.e. a
disturbance that exceeds the MSSC) must be reported to allow the ERO to help
ensure that it is not a continuing condition.
BAL-002 has two categories (1) Compliance and reporting (for Reportable
Disturbances that must comply with the disturbance recovery criteria within the
Disturbance Recovery Period) and (2) Reporting only (for specified disturbances and
system conditions) events that are excluded from meeting Requirement R4
requirement.
The Compliance and reporting category is designed to be used to accumulate all
DCS events that are subject to compliance to BAL-002 Requirement R4 (i.e. recover
ACE within 15 minutes). These include all single assets as well as all pre-defined
common mode failures. The standard originally created R
i
(the average percent
recovery for a Reportable Disturbance) as a measure of the quarterly compliance for
Reportable Disturbances. Where all events greater than 80% were mandatory to
report and those less than 80% were permitted to be reported (thus encouraging
reporting smaller events).
The Reporting only category is designed to track multiple contingency events that
are not subject to Requirement R4. This category is designed to ensure that common
mode (single point of failures) events are not missed. Thus if two or more
contingencies repeatedly occur, the expectation was that the ERO would have the
information to alert the BA that the two contingencies must be considered as a single
Standard BAL-002-1a Disturbance Control Performance
10
event and thus considered as the MSSC.
The Performance Standard Reference document initially included with the DCS
standard does states Where RSGs exist, the Regional Reliability Council is to decide
either to report on a BA basis or an RSG basis. If an RSG has dynamic membership
then required to report on a BA basis.
Question 2: With respect to either simultaneous Contingencies or non-
simultaneous multiple Contingencies affecting a Reserve Sharing
Group, does the exclusion from compliance evaluation for
Disturbances exceeding the most severe single Contingency apply
both when (a) all Contingencies occur within a single Balancing
Authority member of the Reserve Sharing Group and (b) different
Balancing Authorities within the Reserve Sharing Group experience
separate Contingencies that occur simultaneously, or non-
simultaneously but before the end of the Disturbance Recovery Period
following the first Reportable Disturbance?
Response: Requirement R5 is directed to RSGs, where RSG is defined in the NERC
Glossary as:
A group whose members consist of two or more Balancing Authorities
that collectively maintain, allocate, and supply operating reserves
required for each Balancing Authoritys use in recovering from
contingencies within the group. Scheduling energy from an Adjacent
Balancing Authority to aid recovery need not constitute reserve sharing
provided the transaction is ramped in over a period the supplying party
could reasonably be expected to load generation in (e.g., ten minutes). If
the transaction is ramped in quicker (e.g., between zero and ten
minutes) then, for the purposes of Disturbance Control Performance, the
Areas become a Reserve Sharing Group.
The standard provides flexibility to BAs regarding the use or non-use of RSGs
(Requirement R1.1). Requirement R2 affords the members flexibility in how they
organize themselves.
Requirement R1.1 allows, at the option of a BA, or RSG to take on all or part of the
responsibilities that BAL-002 places on a BA. However, Requirement R5 allows a BA
to call for activation of reserves [aka dynamic allocation of membership] moreover,
there is no ad hoc recognition of such an RSGs multiple contingencies since a
contingency in one BA may or not be referred to the RSG, and the simultaneous
contingency in another BA is unknown.
The Technical Document does allow for a pre-acknowledged RSG to report on a
composite basis. It can be interpreted that such a pre-acknowledged RSG entity
assumes all of the obligations and rights afforded to a single BA and in that case
such an RSG would be afforded the same Exclusions as the Exclusions afforded a BA.
In summary, the interpretation is as follows:
The Standard was written to provide pre-acknowledged RSGs the same
considerations as a single BA for purposes of exclusions from DCS
compliance evaluation. Thus for a pre-acknowledged RSG the exclusion rules
would be used in the same manner as they would be used for a single BA.
This applies to both multiple contingencies occurring within one minute or
less of each other being treated as a single Contingency and to
Contingencies that occur after one minute of the start of a Reportable
Standard BAL-002-1a Disturbance Control Performance
11
Disturbance but before the end of the Disturbance Recovery Period.
The standard, while recognizing dynamically allocated RSGs, does NOT
provide the members of dynamically allocated RSGs exclusions from DCS
compliance evaluation on an RSG basis. For members of dynamically allocated
RSGs, the exclusions are provided only on a member BA by member BA basis.
Question 3: Clarify the meaning of the phrase excluded from compliance
evaluation as used in Section 1.4 (Additional Compliance
Information) of Part D of BAL-002-0 and for purposes of the
preceding statements, with respect to Disturbances that exceed the
most severe single Contingency for a Balancing Authority or Reserve
Sharing Group (as applicable), does BAL-002-0 require ACE to be
recovered within the Disturbance Recovery Period (15 minutes unless
adjusted pursuant to BAL-002-0, R4.2).
Response: The Additional Compliance Information section clearly states:
Simultaneous contingencies Multiple contingencies occurring within one
minute or less of each other shall be treated as a single Contingency. If the
combined magnitude of the multiple Contingencies exceeds the Most Severe
Single Contingency, the loss shall be reported, but excluded from compliance
evaluation.
Although Requirement R3 does mandate that a BA or RSG activate sufficient
Contingency Reserves to comply with DCS for every Reportable Disturbance, there is
no requirement to comply with or even report disturbances that are below the
Reportable Disturbance level. The averaging obligation does incent calculation and
reporting of such lesser events.
If a Balancing Authority were to experience a Disturbance five times greater than its
most severe single Contingency, it would be required to report this Disturbance,
but would not be required to recover ACE within 15 minutes following a Disturbance
of this magnitude.
An excludable disturbance is a disturbance whose magnitude was greater than the
magnitude of the most severe single contingency. Any other interpretation would
result in treating BAL-002-0 as if it required Balancing Authorities and Reserve
Sharing Groups to recover ACE (to zero or pre-Disturbance levels, as applicable)
within the 15-minute Disturbance Recovery Period without regard to Disturbance
magnitude. This is inconsistent with (a) the reserve requirement specified in R3.1 of
BAL-002-0, (b) the text of Section 1.4 of Part D of BAL-002-0, and (c) the
documented history of the development of BAL-002-0 (see, e.g., Performance
Standards Document, Version 3 (as accepted by NERC Resources Subcommittee on
October 23, 2007), which provides in Section D, Disturbance Control Standard, DCS,
that An excludable disturbance is a disturbance whose magnitude was greater than
the magnitude of the most severe single contingency.)
WECC Standard BAL-002-WECC-2 Contingency Reserve
1
A. Introduction
1. Title: Contingency Reserve
2. Number: BAL-002-WECC-2
3. Purpose: To specify the quantity and types of Contingency Reserve required to
ensure reliability under normal and abnormal conditions.
4. Applicability:
4.1 Balancing Authority
4.1.1. The Balancing Authority is the responsible entity unless the Balancing
Authority is a member of a Reserve Sharing Group, in which case, the
Reserve Sharing Group becomes the responsible entity.
4.2 Reserve Sharing Group
4.2.1. The Reserve Sharing Group when comprised of a Source Balancing
Authority becomes the source Reserve Sharing Group.
4.2.2. The Reserve Sharing Group when comprised of a Sink Balancing
Authority becomes the sink Reserve Sharing Group.
5. Effective Date: On the first day of the third quarter following applicable regulatory
approval.
B. Requirements and Measures
R1. Each Balancing Authority and each Reserve Sharing Group shall maintain a
minimum amount of Contingency Reserve, except within the first sixty minutes
following an event requiring the activation of Contingency Reserve, that is: [Violation
Risk Factor: High] [Time Horizon: Real-time operations]
1.1 The greater of either:
The amount of Contingency Reserve equal to the loss of the most severe
single contingency;
The amount of Contingency Reserve equal to the sum of three percent of
hourly integrated Load plus three percent of hourly integrated generation.
1.2 Comprised of any combination of the reserve types specified below:
WECC Standard BAL-002-WECC-2 Contingency Reserve
2
Operating Reserve Spinning
Operating Reserve - Supplemental
Interchange Transactions designated by the Source Balancing Authority as
Operating Reserve Supplemental
Reserve held by other entities by agreement that is deliverable on Firm
Transmission Service
A resource, other than generation or load, that can provide energy or
reduce energy consumption
Load, including demand response resources, Demand-Side Management
resources, Direct Control Load Management, Interruptible Load or
Interruptible Demand, or any other Load made available for curtailment by
the Balancing Authority or the Reserve Sharing Group via contract or
agreement.
All other load, not identified above, once the Reliability Coordinator has
declared an energy emergency alert signifying that firm load interruption is
imminent or in progress.
1.3 Based on real-time hourly load and generating energy values averaged over
each Clock Hour (excluding Qualifying Facilities covered in 18 C.F.R.
292.101, as addressed in FERC Order 464).
1.4 An amount of capacity from a resource that is deployable within ten minutes.
M1. Each Balancing Authority and each Reserve Sharing Group will have documentation
demonstrating its Contingency Reserve was maintained, except within the first sixty
minutes following an event requiring the activation of Contingency Reserve.
Part 1.1
Each Balancing Authority and each Reserve Sharing Group will have dated
documentation that demonstrates its Contingency Reserve was maintained in
accordance with the amounts identified in Requirement R1, Part 1.1, except within
the first sixty minutes following an event requiring the activation of Contingency
Reserve.
Attachment A is a practical illustration showing how the generation amount may be
calculated under Requirement R1.
Where Dynamic Schedules are used as part of the generation amount
upon which Contingency Reserve is predicated, additional evidence of
compliance with Requirement R1, Part 1.1 may include, but is not limited
WECC Standard BAL-002-WECC-2 Contingency Reserve
3
to, documentation showing a reciprocal acknowledgement as to which
entity is carrying the reserves. This transfer may be all or some portion of
the physical generator and is not limited to the entire physical capability
of the generator.
Where Pseudo-Ties are used as part of the generation amount upon
which Contingency Reserve is predicated, additional evidence of
compliance with Requirement R1, Part 1.1, may include, but is not limited
to, documentation accounting for the transfers included in the Pseudo-
Ties.
Part 1.2
Each Balancing Authority and each Reserve Sharing Group will have dated
documentation that demonstrates compliance with Requirement R1, Part 1.2.
Evidence may include, but is not limited to, documentation that reserves were
comprised of the types listed in Requirement R1, Part 1.2 for purposes of meeting
the Contingency Reserve obligation of Requirement R1. Additionally, for purposes
of the last bullet of Requirement R1, Part 1.2, evidence of compliance may include,
but is not limited to, documentation that the reliability coordinator had issued an
energy emergency alert, indicating that firm Load interruption was imminent or was
in progress.
Part 1.3
Each Balancing Authority and each Reserve Sharing Group will have dated
documentation that demonstrates compliance with Requirement R1, Part 1.3.
Evidence of compliance with Requirement R1, Part 1.3 may include, but is not
limited to, documentation that Contingency Reserve amounts are based upon load
and generating data averaged over each Clock Hour and excludes Qualifying
Facilities covered in 18 C.F.R. 292.101, as addressed in FERC Order 464.
Part 1.4
Evidence of compliance with Requirement R1, Part 1.4 may include, but is not
limited to, documentation that the reserves maintained to comply with Requirement
R1, Part 1.4 are fully deployable within ten minutes.
R2. Each Balancing Authority and each Reserve Sharing Group shall maintain at least
half of its minimum amount of Contingency Reserve identified in Requirement R1, as
Operating Reserve Spinning that meets both of the following reserve
characteristics. [Violation Risk Factor: High] [Time Horizon: Real-time operations]
2.1 Reserve that is immediately and automatically responsive to frequency
deviations through the action of a governor or other control system;
WECC Standard BAL-002-WECC-2 Contingency Reserve
4
2.2 Reserve that is capable of fully responding within ten minutes.
M2. Each Balancing Authority and each Reserve Sharing Group will have dated
documentation that demonstrates it maintained at least half of the Contingency
Reserve identified in Requirement R1 as Operating Reserve Spinning, averaged
over each Clock Hour, that met both of the reserve characteristics identified in
Requirement R2, Part 2.1 and Requirement R2, Part 2.2.
R3. Each Sink Balancing Authority and each sink Reserve Sharing Group shall maintain
an amount of Operating Reserve, in addition to the minimum Contingency Reserve
in Requirement R1, equal to the amount of Operating ReserveSupplemental for
any Interchange Transaction designated as part of the Source Balancing Authoritys
Operating ReserveSupplemental or source Reserve Sharing Groups Operating
ReserveSupplemental, except within the first sixty minutes following an event
requiring the activation of Contingency Reserve. [Violation Risk Factor: High] [Time
Horizon: Real-time operations]
M3. Each Sink Balancing Authority and each sink Reserve Sharing Group will have
dated documentation demonstrating it maintained an amount of Operating Reserve,
in addition to the Contingency Reserve identified in Requirement R1, equal to the
amount of Operating ReserveSupplemental for any Interchange Transaction
designated as part of the Source Balancing Authoritys Operating Reserve
Supplemental or source Reserve Sharing Groups Operating Reserve
Supplemental, for the entire period of the transaction, except within the first sixty
minutes following an event requiring the activation of Contingency Reserves, in
accordance with Requirement 3.
R4. Each Source Balancing Authority and each source Reserve Sharing Group shall
maintain an amount of Operating Reserve, in addition to the minimum Contingency
Reserve amounts identified in Requirement R1, equal to the amount and type of
Operating Reserves for any Operating Reserve transactions for which it is the
Source Balancing Authority or source Reserve Sharing Group. [Violation Risk
Factor: High] [Time Horizon: Real-time operations]
M4. Each Source Balancing Authority and each source Reserve Sharing Group will have
dated documentation that demonstrates it maintained an amount of additional
Operating Reserves identified in Requirement R1, greater than or equal to the
amount and type of that identified in Requirement 4, for the entire period of the
transaction.
C. Compliance
1. Compliance Monitoring Process
1.1 Compliance Enforcement Authority
WECC Standard BAL-002-WECC-2 Contingency Reserve
5
For entities that do not work for the Regional Entity, the Regional Entity shall
serve as the Compliance Enforcement Authority.
For Reliability Coordinators and other functional entities that work for their
Regional Entity, the ERO or a Regional Entity approved by the ERO and FERC
or other applicable governmental authorities shall serve as the Compliance
Enforcement Authority.
For responsible entities that are also Regional Entities, the ERO or a Regional
Entity approved by the ERO and FERC or other applicable governmental
authorities shall serve as the Compliance Enforcement Authority.
1.2 Compliance Monitoring and Assessment Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.3 Evidence Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time
since the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period
since the last audit.
Each Balancing Authority and each Reserve Sharing Group shall keep
evidence for Requirement R1 through R4 for three years plus calendar current.
1.4. Additional Compliance Information
1.4.1. This Standard shall apply to each Balancing Authority and each Reserve
Sharing Group that has registered with WECC as provided in Part 1.4.2
of Section C.
Each Balancing Authority identified in the registration with WECC as
provided in Part 1.4.2 of Section C shall be responsible for compliance
with this Standard through its participation in the Reserve Sharing Group
and not on an individual basis.
WECC Standard BAL-002-WECC-2 Contingency Reserve
6
1.4.2. A Reserve Sharing Group may register as the Responsible Entity for
purposes of compliance with this Standard by providing written notice to
the WECC: 1) indicating that the Reserve Sharing Group is registering
as the Responsible Entity for purposes of compliance with this Standard,
2) identifying each Balancing Authority that is a member of the Reserve
Sharing Group, and 3) identifying the person or organization that will
serve as agent on behalf of the Reserve Sharing Group for purposes of
communications and data submissions related to or required by this
Standard.
1.4.3. If an agent properly designated in accordance with Part 1.4.2 of Section
C identifies individual Balancing Authorities within the Reserve Sharing
Group responsible for noncompliance at the time of data submission,
together with the percentage of responsibility attributable to each
identified Balancing Authority, then, except as may otherwise be finally
determined through a duly conducted review or appeal of the initial
finding of noncompliance: 1) any penalties assessed for noncompliance
by the Reserve Sharing Group shall be allocated to the individual
Balancing Authorities identified in the applicable data submission in
proportion to their respective percentages of responsibility as specified in
the data submission, 2) each Balancing Authority shall be solely
responsible for all penalties allocated to it according to its percentage of
responsibility as provided in subsection 1) of this Part 1.4.3 of Section C,
and 3) neither the Reserve Sharing Group nor any member of the
Reserve Sharing Group shall be responsible for any portion of a penalty
assessed against another member of the Reserve Sharing Group in
accordance with subsection 1) of this Part 1.4.3 of Section C (even if the
member of Reserve Sharing Group against which the penalty is
assessed is not subject to or otherwise fails to pay its allocated share of
the penalty).
1.4.4. If an agent properly designated in accordance with Part 1.4.2 of Section
C fails to identify individual Balancing Authorities within the Reserve
Sharing Group responsible for noncompliance at the time of data
submission or fails to specify percentages of responsibility attributable to
each identified Balancing Authority, any penalties for noncompliance
shall be assessed against the agent on behalf of the Reserve Sharing
Group, and it shall be the responsibility of the members of the Reserve
Sharing Group to allocate responsibility for such noncompliance.
1.4.5. Any Balancing Authority that is a member of a Reserve Sharing Group
that has failed to register as provided in Part 1.4.2 of Section C shall be
subject to this Standard on an individual basis.
WECC Standard BAL-002-WECC-2 Contingency Reserve
7
Table of Compliance Elements
R Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
R1 Real-time
Operations
High The Balancing
Authority or the
Reserve Sharing
Group that incurs
one Clock Hour,
during a
calendar month,
in which
Contingency
Reserve is less
than 100% but
greater than or
equal to 90% of
the required
Contingency
Reserve amount,
with the
characteristics
specified in
Requirement R1.
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
Clock Hour,
during a
calendar month,
in which
Contingency
Reserve is less
than 90% but
greater than or
equal to 80% of
the required
Contingency
Reserve
amount, with the
characteristics
specified in
Requirement
R1.
The Balancing
Authority or the
Reserve Sharing
Group that
incurs one Clock
Hour, during a
calendar month,
in which
Contingency
Reserve is less
than 80% but
greater than or
equal to 70% of
the required
Contingency
Reserve
amount, with the
characteristics
specified in
Requirement
R1.
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
Clock Hour,
during a
calendar month,
in which
Contingency
Reserve is less
than 70% of the
required
Contingency
Reserve
amount, with
the
characteristics
specified in
Requirement
R1.
R2 Real-time
Operations
High The Balancing
Authority or the
Reserve Sharing
Group that
incurs one Clock
Hour, during a
calendar month,
in which
Contingency
Reserve
Operating
Reserve -
Spinning is less
than 100% but
greater than or
equal to 90% of
the required
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
Clock Hour,
during a
calendar month,
in which
Contingency
Reserve
Operating
Reserve -
Spinning is less
than 90% but
greater than or
equal to 80% of
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
Clock Hour,
during a
calendar
month, in which
Contingency
Reserve
Operating
Reserve -
Spinning is less
than 80% but
greater than or
equal to 70% of
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
Clock Hour,
during a
calendar month,
in which
Contingency
Reserve
Operating
Reserve -
Spinning is less
than 70% of the
required
Operating
WECC Standard BAL-002-WECC-2 Contingency Reserve
8
R Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
Operating
Reserve
Spinning amount
specified in
Requirement R2,
and both
characteristics
were met.
the required
Operating
Reserve
Spinning
amount
specified in
Requirement
R2, and both
characteristics
were met.
the required
Operating
Reserve
Spinning
amount
specified in
Requirement
R2, and both
characteristics
were met.
Reserve
Spinning
amount
specified in
Requirement
R2, and both
characteristics
were met.
R3 Real-time
Operations
High The Balancing
Authority or the
Reserve Sharing
Group that
incurs one hour,
during a
calendar month,
in which
Contingency
Reserve is less
than 100% but
greater than or
equal to 90% of
the required
Operating
Reserve amount
specified in
Requirement R3.
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
hour, during a
calendar month,
in which
Contingency
Reserve is less
than 90% but
greater than or
equal to 80% of
the required
Operating
Reserve
amount
specified in
Requirement
R3.
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
hour, during a
calendar
month, in which
Contingency
Reserve is less
than 80% but
greater than or
equal to 70% of
the required
Operating
Reserve
amount
specified in
Requirement
R3.
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
hour, during a
calendar month,
in which
Contingency
Reserve is less
than 70% of the
required
Operating
Reserve
amount
specified in
Requirement
R3.
R4 Real-time
Operations
High The Balancing
Authority or the
Reserve Sharing
Group that
incurs one hour,
during a
calendar month,
in which
Contingency
Reserve
Operating
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
hour, during a
calendar month,
in which
Contingency
Reserve
Operating
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
hour, during a
calendar
month, in which
Contingency
Reserve
Operating
The Balancing
Authority or the
Reserve
Sharing Group
that incurs one
hour, during a
calendar month,
in which
Contingency
Reserve
Operating
WECC Standard BAL-002-WECC-2 Contingency Reserve
9
R Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
Reserve is less
than 100% but
greater than or
equal to 90% of
the required
Operating
Reserve amount
specified in
Requirement R4.
Reserve is less
than 90% but
greater than or
equal to 80% of
the required
Operating
Reserve
amount
specified in
Requirement
R4.
Reserve is less
than 80% but
greater than or
equal to 70% of
the required
Operating
Reserve
amount
specified in
Requirement
R4.
Reserve is less
than 70% of the
required
Operating
Reserve
amount
specified in
Requirement
R4.
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
WECC Standard BAL-002-WECC-2 Contingency Reserve
10
Attachment A
Attachment A is illustrative only; it is not a requirement. Requirement R1 calls for an amount
of Contingency Reserve to be maintained, predicated on an amount of generation and load
required in Requirement R1, Part 1.1., specifically:
1.1 The greater of either:
The amount of Contingency Reserve equal to the loss of the most
severe single contingency;
The amount of Contingency Reserve equal to the sum of three
percent of hourly integrated Load plus three percent of hourly
integrated generation.
Attachment A illustrates one possible way to account for and calculate the amount of
generation upon which the Contingency Reserve amount is predicated.
Below is a practical illustration showing how the generation amount may be calculated under
Requirement R1 for Balancing Authorities (BA) and Reserve Sharing Groups (RSG).
BA1 / RSG 1 Generation Part of Generator
Generator 1 300 MWs online Yes
Generator 2 200 MWs online Yes
Generator 3 (Pseudo-Tied out to BA2) 100 MWs online No
Generator 4 QF (has backup contract) 10 MWs online No
Generator 5 QF in EMS 10 MWs online Yes
Generator 6 0 MWs online Yes
Dynamic Schedule to BA2 from BA1
1
(50 MWs)
Generation 620 MWs (The sum of gen 1-6)
BA generation (EMS) 510 MWs (The sum of gen 1, 2, and 5)
Generation to use Under BAL-002-WECC-1 460 MWs** (The sum of gen 1, 2 and 5
minus Dynamic Schedule)
** Assumes BA1 and BA2 agree on Dynamic Schedule treatment. If no agreement, BA1
would maintain reserves based on 510 MWs Generation.
BA2 / RSG2 Generation Part of Generator
Generator 11 100 MWs Yes
1
Note: This Dynamic Schedule is not the same as the Generator 3 Pseudo-Tie.
WECC Standard BAL-002-WECC-2 Contingency Reserve
11
Generator 12 100 MWs Yes
Generator 3 (Pseudo-Tied in from BA1) 100 MWs Yes
Dynamic Schedule from BA1 to BA2 50 MWs Yes
Generation 300 MWs (The sum of gen 11, 12 and 3.)
BA generation (EMS) 300 MWs (The sum of gen 11, 12 and 3)
Generation to use Under BAL-002-WECC-1 350 MWs** (The sum of gen 11, 12 and 3
plus Dynamic Schedule)
** Assumes BA1 and BA2 agree on Dynamic Schedule treatment. If no agreement, BA1
would have to maintain reserves based on 510MWs Generation and BA2 would determine its
generation to be 300 MWs.
WECC Standard BAL-002-WECC-2 Contingency Reserve
12
Guideline and Technical Basis
A Guidance Document addressing implementation of this standard has been filed with this
standard.
Version History
Version
Date Action Change Tracking
1 October 29, 2008
Adopted by NERC Board of
Trustees
1 October 21, 2010
Order issued remanding
BAL-002-WECC-1
2 November 7, 2012
Adopted by NERC Board of
Trustees
Standard BAL-003-0.1b Frequency Response and Bias
Page 1 of 5
A. Introduction
1. Title: Frequency Response and Bias
2. Number: BAL-003-0.1b
3. Purpose: This standard provides a consistent method for calculating the Frequency Bias
component of ACE.
4. Applicability:
4.1. Balancing Authorities.
5. Effective Date: Immediately after approval of applicable regulatory authorities.
B. Requirements
R1. Each Balancing Authority shall review its Frequency Bias Settings by January 1 of each year
and recalculate its setting to reflect any change in the Frequency Response of the Balancing
Authority Area.
R1.1. The Balancing Authority may change its Frequency Bias Setting, and the method used
to determine the setting, whenever any of the factors used to determine the current bias
value change.
R1.2. Each Balancing Authority shall report its Frequency Bias Setting, and method for
determining that setting, to the NERC Operating Committee.
R2. Each Balancing Authority shall establish and maintain a Frequency Bias Setting that is as
close as practical to, or greater than, the Balancing Authoritys Frequency Response.
Frequency Bias may be calculated several ways:
R2.1. The Balancing Authority may use a fixed Frequency Bias value which is based on a
fixed, straight-line function of Tie Line deviation versus Frequency Deviation. The
Balancing Authority shall determine the fixed value by observing and averaging the
Frequency Response for several Disturbances during on-peak hours.
R2.2. The Balancing Authority may use a variable (linear or non-linear) bias value, which is
based on a variable function of Tie Line deviation to Frequency Deviation. The
Balancing Authority shall determine the variable frequency bias value by analyzing
Frequency Response as it varies with factors such as load, generation, governor
characteristics, and frequency.
R3. Each Balancing Authority shall operate its Automatic Generation Control (AGC) on Tie Line
Frequency Bias, unless such operation is adverse to system or Interconnection reliability.
R4. Balancing Authorities that use Dynamic Scheduling or Pseudo-ties for jointly owned units
shall reflect their respective share of the unit governor droop response in their respective
Frequency Bias Setting.
R4.1. Fixed schedules for Jointly Owned Units mandate that Balancing Authority (A) that
contains the Jointly Owned Unit must incorporate the respective share of the unit
governor droop response for any Balancing Authorities that have fixed schedules (B
and C). See the diagram below.
R4.2. The Balancing Authorities that have a fixed schedule (B and C) but do not contain the
Jointly Owned Unit shall not include their share of the governor droop response in
their Frequency Bias Setting.
Standard BAL-003-0.1b Frequency Response and Bias
Page 2 of 5
R5. Balancing Authorities that serve native load shall have a monthly average Frequency Bias
Setting that is at least 1% of the Balancing Authoritys estimated yearly peak demand per 0.1
Hz change.
R5.1. Balancing Authorities that do not serve native load shall have a monthly average
Frequency Bias Setting that is at least 1% of its estimated maximum generation level in
the coming year per 0.1 Hz change.
R6. A Balancing Authority that is performing Overlap Regulation Service shall increase its
Frequency Bias Setting to match the frequency response of the entire area being controlled. A
Balancing Authority shall not change its Frequency Bias Setting when performing
Supplemental Regulation Service.
C. Measures
M1. Each Balancing Authority shall perform Frequency Response surveys when called for by the
Operating Committee to determine the Balancing Authoritys response to Interconnection
Frequency Deviations.
D. Compliance
Not Specified.
E. Regional Differences
None identified.
F. Associated Documents
1. Appendix 1 Interpretation of Requirement R3 (October 23, 2007).
2. Appendix 2 Interpretation of Requirements R2, R2.2, R5, and R5.1 (February 12, 2008).
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed "Proposed" from Effective Date Errata
0 March 16, 2007
FERC Approval Order 693
New
A
B C
J ointly Owned Unit
Standard BAL-003-0.1b Frequency Response and Bias
Page 3 of 5
0a December 19, 2007 Added Appendix 1 Interpretation of R3
approved by BOT on October 23, 2007
Addition
0a July 21, 2008 FERC Approval of Interpretation of R3 Addition
0b February 12, 2008 Added Appendix 2 Interpretation of R2,
R2.2, R5, and R5.1 approved by BOT on
February 12, 2008
Addition
0.1b January 16, 2008 Section F: added 1.; changed hyphen to en
dash. Changed font style for Appendix 1 to
Arial; updated version number to 0.1b
Errata
0.1b October 29, 2008 BOT approved errata changes Errata
0.1a May 13, 2009 FERC Approved errata changes version
changed to 0.1a (Interpretation of R2, R2.2,
R5, and R5.1 not yet approved)
Errata
0.1b May 21, 2009 FERC Approved Interpretation of R2, R2.2,
R5, and R5.1
Addition
Standard BAL-003-0.1b Frequency Response and Bias
Page 4 of 5
Appendix 1
Interpretation of Requirement 3
Request: Does the WECC Automatic Time Error Control Procedure (WATEC) violate Requirement 3 of
BAL-003-0?
Interpretation:
Requirement 3 of BAL-003-0 Frequency Response and Bias deals with Balancing Authorities using
Tie-Line Frequency Bias as the normal mode of automatic generation control.
Tie-Line Frequency Bias is one of the three foundational control modes available in a Balancing
Authoritys energy management system. (The other two are flat-tie and flat-frequency.) Many Balancing
Authorities layer other control objectives on top of their basic control mode, such as automatic inadvertent
payback, CPS optimization, time control (in single BA Interconnections).
As long as Tie-Line Frequency Bias is the underlying control mode and CPS1 is measured and reported
on the associated ACE equation, there is no violation of BAL-003-0 Requirement 3:
ACE = (NI
A
NI
S
) 10B (F
A
F
S
) I
ME
BAL-003-0
R3. Each Balancing Authority shall operate its Automatic Generation Control (AGC) on Tie Line
Frequency Bias, unless such operation is adverse to system or Interconnection reliability.
Standard BAL-003-0.1b Frequency Response and Bias
Page 5 of 5
Appendix 2
Interpretation of Requirements R2, R2.2, R5, R5.1
Request: ERCOT specifically requests clarification that a Balancing Authority is entitled to use a
variable bias value as authorized by Requirement R2.2, even though Requirement 5 seems not to account
for the possibility of variable bias settings.
Interpretation:
The consensus of the Resources Subcommittee is that BAL-003-0 Frequency Response and Bias
Requirement R2 does not conflict with BAL-003-0 Requirement R5.
BAL-003-0 Frequency Response and Bias Requirement 2 requires a Balancing Authority to analyze
its response to frequency excursions as a first step in determining its frequency bias setting. The
Balancing Authority may then choose a fixed bias (constant through the year) per Requirement 2.1, or a
variable bias (varies with load, specific generators, etc.) per Requirement 2.2.
BAL-003-0 Frequency Response and Bias Requirement 5 sets a minimum contribution for all
Balancing Authorities toward stabilizing interconnection frequency. The 1% bias setting establishes a
minimum level of automatic generation control action to help stabilize frequency following a disturbance.
By setting a floor on bias, Requirement 5 also helps ensure a consistent measure of control performance
among all Balancing Authorities within a multi-Balancing Authority interconnection. However, ERCOT
is a single Balancing Authority interconnection. The bias settings ERCOT uses do produce, on average,
the best level of automatic generation control action to meet control performance metrics. The bias value
in a single Balancing Authority interconnection does not impact the measure of control performance.
BAL-003-0
R2. Each Balancing Authority shall establish and maintain a Frequency Bias Setting that is as close
as practical to, or greater than, the Balancing Authoritys Frequency Response. Frequency Bias
may be calculated several ways:
R2.1. The Balancing Authority may use a fixed Frequency Bias value which is based on a
fixed, straight-line function of Tie Line deviation versus Frequency Deviation. The
Balancing Authority shall determine the fixed value by observing and averaging the
Frequency Response for several Disturbances during on-peak hours.
R2.2. The Balancing Authority may use a variable (linear or non-linear) bias value, which is
based on a variable function of Tie Line deviation to Frequency Deviation. The
Balancing Authority shall determine the variable frequency bias value by analyzing
Frequency Response as it varies with factors such as load, generation, governor
characteristics, and frequency.
BAL-003-0
R5. Balancing Authorities that serve native load shall have a monthly average Frequency Bias
Setting that is at least 1% of the Balancing Authoritys estimated yearly peak demand per 0.1 Hz
change.
R5.1. Balancing Authorities that do not serve native load shall have a monthly average
Frequency Bias Setting that is at least 1% of its estimated maximum generation level in
the coming year per 0.1 Hz change.
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 1 of 12
A. Introduction
Title: Frequency Response and Frequency Bias Setting
Number: BAL-003-1
Purpose: To require sufficient Frequency Response from the Balancing Authority (BA) to
maintain Interconnection Frequency within predefined bounds by arresting frequency
deviations and supporting frequency until the frequency is restored to its scheduled
value. To provide consistent methods for measuring Frequency Response and
determining the Frequency Bias Setting.
Applicability:
1.1. Balancing Authority
1.1.1 The Balancing Authority is the responsible entity unless the Balancing
Authority is a member of a Frequency Response Sharing Group, in which
case, the Frequency Response Sharing Group becomes the responsible
entity.
1.2. Frequency Response Sharing Group
Effective Date:
1.3. In those jurisdictions where regulatory approval is required, Requirements R2, R3
and R4 of this standard shall become effective the first calendar day of the first
calendar quarter 12 months after applicable regulatory approval. In those
jurisdictions where no regulatory approval is required, Requirements R2, R3 and
R4 of this standard shall become effective the first calendar day of the first
calendar quarter 12 months after Board of Trustees adoption.
1.4. In those jurisdictions where regulatory approval is required, Requirements R1 of
this standard shall become effective the first calendar day of the first calendar
quarter 24 months after applicable regulatory approval. In those jurisdictions
where no regulatory approval is required, Requirements R1 of this standard shall
become effective the first calendar day of the first calendar quarter 24 months
after Board of Trustees adoption.
B. Requirements
R1. Each Frequency Response Sharing Group (FRSG) or Balancing Authority that is not a
member of a FRSG shall achieve an annual Frequency Response Measure (FRM) (as
calculated and reported in accordance with Attachment A) that is equal to or more
negative than its Frequency Response Obligation (FRO) to ensure that sufficient
Frequency Response is provided by each FRSG or BA that is not a member of a FRSG
to maintain Interconnection Frequency Response equal to or more negative than the
Interconnection Frequency Response Obligation. [Risk Factor: Medium ][Time
Horizon: Real-time Operations]
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 2 of 12
R2. Each Balancing Authority that is a member of a multiple Balancing Authority
Interconnection and is not receiving Overlap Regulation Service and uses a fixed
Frequency Bias Setting shall implement the Frequency Bias Setting determined in
accordance with Attachment A, as validated by the ERO, into its Area Control Error
(ACE) calculation during the implementation period specified by the ERO and shall
use this Frequency Bias Setting until directed to change by the ERO. [Risk Factor:
Medium ][Time Horizon: Operations Planning]
R3. Each Balancing Authority that is a member of a multiple Balancing Authority
Interconnection and is not receiving Overlap Regulation Service and is utilizing a
variable Frequency Bias Setting shall maintain a Frequency Bias Setting that is: [Risk
Factor: Medium ][Time Horizon: Operations Planning]
1.1 Less than zero at all times, and
1.2 Equal to or more negative than its Frequency Response Obligation when
Frequency varies from 60 Hz by more than +/- 0.036 Hz.
R4. Each Balancing Authority that is performing Overlap Regulation Service shall modify
its Frequency Bias Setting in its ACE calculation, in order to represent the Frequency
Bias Setting for the combined Balancing Authority Area, to be equivalent to either:
[Risk Factor: Medium ][Time Horizon: Operations Planning]
The sum of the Frequency Bias Settings as shown on FRS Form 1 and FRS
Form 2 for the participating Balancing Authorities as validated by the ERO, or
The Frequency Bias Setting shown on FRS Form 1 and FRS Form 2 for the
entirety of the participating Balancing Authorities Areas.
C. Measures
M1. Each Frequency Response Sharing Group or Balancing Authority that is not a member
of a Frequency Response Sharing Group shall have evidence such as dated data plus
documented formula in either hardcopy or electronic format that it achieved an annual
FRM (in accordance with the methods specified by the ERO in Attachment A with data
from FRS Form 1 reported to the ERO as specified in Attachment A) that is equal to or
more negative than its FRO to demonstrate compliance with Requirement R1.
M2. The Balancing Authority that is a member of a multiple Balancing Authority
Interconnection and is not receiving Overlap Regulation Service shall have evidence
such as a dated document in hard copy or electronic format showing the ERO validated
Frequency Bias Setting was implemented into its ACE calculation within the
implementation period specified or other evidence to demonstrate compliance with
Requirement R2.
M3. The Balancing Authority that is a member of a multiple Balancing Authority
Interconnection, is not receiving Overlap Regulation Service and is utilizing variable
Frequency Bias shall have evidence such as a dated report in hard copy or electronic
format showing the average clock-minute average Frequency Bias Setting was less
than zero and during periods when the clock-minute average frequency was outside of
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 3 of 12
the range 59.964 Hz to 60.036 Hz was equal to or more negative than its Frequency
Response Obligation to demonstrate compliance with Requirement R3.
M4. The Balancing Authority shall have evidence such as a dated operating log, database or
list in hard copy or electronic format showing thatwhenitperformedOverlap
RegulationService,itmodifieditsFrequencyBiasSettinginitsACEcalculationas
specifiedinRequirementR4 to demonstrate compliance with Requirement R4.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
The Regional Entity is the Compliance Enforcement Authority except where the
responsible entity works for the Regional Entity. Where the responsible entity
works for the Regional Entity, the Regional Entity will establish an agreement
with the ERO or another entity approved by the ERO and FERC (i.e. another
Regional Entity), to be responsible for compliance enforcement.
1.2. Compliance Monitoring and Assessment Processes:
Compliance Audits
Self-Certifications
Spot Checking
Compliance Investigation
Self-Reporting
Complaints
1.3. Data Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to
provide other evidence to show that it was compliant for the full time period since
the last audit.
The Balancing Authority shall retain data or evidence to show compliance with
Requirements R1, R2, R3 and R4, Measures M1, M2, M3 and M4 for the current
year plus the previous three calendar years unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as
part of an investigation.
The Frequency Response Sharing Group shall retain data or evidence to show
compliance with Requirement R1 and Measure M1 for the current year plus the
previous three calendar years unless directed by its Compliance Enforcement
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 4 of 12
Authority to retain specific evidence for a longer period of time as part of an
investigation.
If a Balancing Authority or Frequency Response Sharing Group is found non-
compliant, it shall keep information related to the non-compliance until found
compliant or for the time period specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
subsequent requested and submitted records.
1.4. Additional Compliance Information
For Interconnections that are also Balancing Authorities, Tie Line Bias control
and flat frequency control are equivalent and either is acceptable.
2.0 Violation Severity Levels
R# Lower VSL Medium VSL High VSL Severe VSL
R1 The summation of
the Balancing
Authorities FRM
within an
Interconnection was
equal to or more
negative than the
Interconnections
IFRO, and the
Balancing
Authoritys, or
Frequency Response
Sharing Groups,
FRM was less
negative than its
FRO by more than
1% but by at most
30% or 15 MW/0.1
Hz, whichever one
is the greater
deviation from its
FRO
The summation of
the Balancing
Authorities FRM
within an
Interconnection was
equal to or more
negative than the
Interconnections
IFRO, and the
Balancing
Authoritys, or
Frequency Response
Sharing Groups,
FRM was less
negative than its
FRO by more than
30% or by more
than 15 MW/0.1 Hz,
whichever is the
greater deviation
from its FRO
The summation of
the Balancing
Authorities FRM
within an
Interconnection did
not meet its IFRO,
and the Balancing
Authoritys, or
Frequency Response
Sharing Groups,
FRM was less
negative than its
FRO by more than
1% but by at most
30% or 15 MW/0.1
Hz, whichever one is
the greater deviation
from its FRO
The summation of
the Balancing
Authorities FRM
within an
Interconnection did
not meet its IFRO,
and the Balancing
Authoritys, or
Frequency Response
Sharing Groups,
FRM was less
negative than its
FRO by more than
30% or by more
than 15 MW/0.1 Hz,
whichever is the
greater deviation
from its FRO
R2 The Balancing
Authority in a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
The Balancing
Authority in a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
The Balancing
Authority in a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
The Balancing
Authority in a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 5 of 12
Service and uses a
fixed Frequency
Bias Setting failed to
implement the
validated Frequency
Bias Setting value
into its ACE
calculation within
the implementation
period specified but
did so within 5
calendar days from
the implementation
period specified by
the ERO.
Service and uses a
fixed Frequency
Bias Setting
implemented the
validated Frequency
Bias Setting value
into its ACE
calculation in more
than 5 calendar days
but less than or
equal to 15 calendar
days from the
implementation
period specified by
the ERO.
Service and uses a
fixed Frequency
Bias Setting
implemented the
validated Frequency
Bias Setting value
into its ACE
calculation in more
than 15 calendar
days but less than or
equal to 25 calendar
days from the
implementation
period specified by
the ERO.
Service and uses a
fixed Frequency
Bias Setting did not
implement the
validated Frequency
Bias Setting value
into its ACE
calculation in more
than 25 calendar
days from the
implementation
period specified by
the ERO.
R3 The Balancing
Authority that is a
member of a
multiple Balancing
Authority
Interconnection and
is not receiving
Overlap Regulation
Service and uses a
variable Frequency
Bias Setting average
Frequency Bias
Setting during
periods when the
clock-minute
average frequency
was outside of the
range 59.964 Hz to
60.036 Hz was less
negative than its
Frequency Response
Obligation by more
than 1% but by at
most 10%.
The Balancing
Authority that is a
member of a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
Service and uses a
variable Frequency
Bias Setting average
Frequency Bias
Setting during
periods when the
clock-minute
average frequency
was outside of the
range 59.964 Hz to
60.036 Hz was less
negative than its
Frequency Response
Obligation by more
than 10% but by at
most 20%.
The Balancing
Authority that is a
member of a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
Service and uses a
variable Frequency
Bias Setting average
Frequency Bias
Setting during
periods when the
clock-minute
average frequency
was outside of the
range 59.964 Hz to
60.036 Hz was less
negative than its
Frequency Response
Obligation by more
than 20% but by at
most 30%.
The Balancing
Authority that is a
multiple Balancing
Authority
Interconnection and
not receiving
Overlap Regulation
Service and uses a
variable Frequency
Bias Setting average
Frequency Bias
Setting during
periods when the
clock-minute
average frequency
was outside of the
range 59.964 Hz to
60.036 Hz was less
negative than its
Frequency Response
obligation by more
than 30%..
R4 The Balancing
Authority
incorrectly changed
the Frequency Bias
Setting value used in
its ACE calculation
when providing
The Balancing
Authority
incorrectly changed
the Frequency Bias
Setting value used in
its ACE calculation
when providing
The Balancing
Authority
incorrectly changed
the Frequency Bias
Setting value used in
its ACE calculation
when providing
The Balancing
Authority
incorrectly changed
the Frequency Bias
Setting value used in
its ACE calculation
when providing
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 6 of 12
Overlap Regulation
Services with
combined footprint
setting-error less
than or equal to 10%
of the validated or
calculated value.
Overlap Regulation
Services with
combined footprint
setting-error more
than 10% but less
than or equal to 20%
of the validated or
calculated value.
Overlap Regulation
Services with
combined footprint
setting-error more
than 20% but less
than or equal to 30%
of the validated or
calculated value.
Overlap Regulation
Services with
combined footprint
setting-error more
than 30% of the
validated or
calculated value.
OR
The Balancing
Authority failed to
change the
Frequency Bias
Setting value used in
its ACE calculation
when providing
Overlap Regulation
Services.
E. Regional Variance
None
F. Associated Documents
Procedure for ERO Support of Frequency Response and Frequency Bias Setting Standard
FRS Form 1
FRS Form 2
Frequency Response Standard Background Document
G. Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed "Proposed" from
Effective Date
Errata
0 March 16, 2007
FERC Approval Order 693
New
0a December 19,
2007
Added Appendix 1
Interpretation of R3 approved
by BOT on October 23, 2007
Addition
0a J uly 21, 2008 FERC Approval of
Interpretation of R3
Addition
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 7 of 12
0b February 12,
2008
Added Appendix 2
Interpretation of R2, R2.2, R5,
and R5.1 approved by BOT on
February 12, 2008
Addition
0.1b J anuary 16, 2008 Section F: added 1.;
changed hyphen to en dash.
Changed font style for
Appendix 1 to Arial;
updated version number to
0.1b
Errata
0.1b October 29,
2008
BOT approved errata changes Errata
0.1a May 13, 2009 FERC Approved errata
changes version changed to
0.1a (Interpretation of R2,
R2.2, R5, and R5.1 not yet
approved)
Errata
0.1b May 21, 2009 FERC Approved
Interpretation of R2, R2.2, R5,
and R5.1
Addition
1 February 7, 2013 Adopted by NERC Board of
Trustees
Complete Revision under
Project 2007-12
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 8 of 12
Attachment A
BAL-003-1 Frequency Response & Frequency Bias Setting Standard
Supporting Document
Interconnection Frequency Response Obligation (I FRO)
TheERO,inconsultationwithregionalrepresentatives,hasestablishedatargetcontingencyprotection
criterionforeachInterconnectioncalledtheInterconnectionFrequencyResponseObligation(IFRO).
ThedefaultIFROlistedinTable1isbasedontheresourcecontingencycriteria(RCC),whichisthelargest
categoryC(N2)eventidentifiedexceptfortheEasternInterconnection,whichusesthelargesteventin
thelast10years.Amaximumdeltafrequency(MDF)iscalculatedbyadjustingastartingfrequencyfor
eachInterconnectionbythefollowing:
PrevailingUFLSfirststep
CC
Adj
whichistheadjustmentforthedifferencesbetween1secondandsubsecondPointC
observationsforfrequencyevents.ApositivevalueindicatesthatthesubsecondCdatais
lowerthanthe1seconddata
CB
R
whichisthestatisticallydeterminedratioofthePointCtoValueB
BC
Adj
whichisthestatisticallydeterminedadjustmentfortheeventnadirbeingbelowtheValue
B(EasternInterconnectiononly)duringprimaryfrequencyresponsewithdrawal.
TheIFROforeachInterconnectioninTable1isthencalculatedbydividingtheRCCMWsby10timesthe
MDF.IntheEasternInterconnectionthereisanadditionaladjustment(BC
Adj
)fortheeventnadirbeing
belowtheValueBduetoprimaryfrequencyresponsewithdrawal.ThisIFROincludesuncertainty
adjustmentsata95%confidencelevel.DetaileddescriptionsofthecalculationsusedinTable1below
aredefinedintheProcedureforEROSupportofFrequencyResponseandFrequencyBiasSetting
Standard.
Interconnection Eastern Western ERCOT HQ Units
StartingFrequency(F
Start
) 59.974 59.976 59.963 59.972 Hz
PrevailingUFLSFirstStep 59.5* 59.5 59.3 58.5 Hz
BaseDeltaFrequency(DF
Base
) 0.474 0.476 0.663 1.472 Hz
CC
ADJ
0.007 0.004 0.012 N/A Hz
DeltaFrequency(DF
CC
) 0.467 0.472 0.651 1.472 Hz
CB
R
1.000 1.625 1.377 1.550
DeltaFrequency(DF
CBR
) 0.467 0.291 0.473 0.949 Hz
BC
ADJ
0.018 N/A N/A N/A Hz
Max.DeltaFrequency(MDF) 0.449 0.291 0.473 0.949
ResourceContingencyCriteria
(RCC) 4,500 2,740 2,750 1,700 MW
CreditforLoadResources
(CLR) 300 1,400** MW
IFRO 1,002 840 286 179 MW/0.1Hz
Table1:InterconnectionFrequencyResponseObligations
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 9 of 12
*TheEasternInterconnectionUFLSsetpointlistedisacompromisevaluesetmidwaybetween
thestablefrequencyminimumestablishedinPRC0061(59.3Hz)andthelocalprotectionUFLS
settingof59.7HzusedinFloridaandManitoba.
**IntheBaseObligationmeasureforERCOT,1400MW(LoadResourcestriggeredbyUnder
FrequencyRelaysat59.70Hz)wasreducedfromitsResourceContingencyCriterialevelof2750
MWtoget239MW/0.1Hz.Thiswasreducedtoaccuratelyaccountfordesignedresponsefrom
LoadResourceswithin30cycles.
AnInterconnectionmayproposealternateIFROprotectioncriteriatotheERObysubmittingaSARwith
supportingtechnicaldocumentation.
Balancing Authority Frequency Response Obligation (FRO) and Frequency Bias
Setting
TheEROwillmanagetheadministrativeprocedureforannuallyassigninganFROandimplementationof
theFrequencyBiasSettingforeachBalancingAuthority.Theannualtimelineforallactivitiesdescribed
inthissectionareshownbelow.
ForamultipleBalancingAuthorityinterconnection,theInterconnectionFrequencyResponseObligation
showninTable1isallocatedbasedontheBalancingAuthorityannualloadandannualgeneration.The
FROallocationwillbebasedonthefollowingmethod:
FRO
BA
IFRO
Annual Gen
BA
Annual Load
BA
Annual Gen
I
Annual Load
I
Where:
AnnualGen
BA
isthetotalannualOutputofGeneratingPlantswithintheBalancingAuthority
Area(BAA),onFERCForm714,columncofPartIISchedule3.
AnnualLoad
BA
istotalannualLoadwithintheBAA,onFERCForm714,columneofPartII
Schedule3.
AnnualGen
Int
isthesumofallAnnualGen
BA
valuesreportedinthatinterconnection.
AnnualLoad
Int
isthesumofallAnnualLoad
BA
valuesreportedinthatinterconnection.
ThedatausedforthiscalculationisfromthemostrecentlyfiledForm714.Asanexample,areportto
NERCinJanuary2013wouldusetheForm714datafiledin2012,whichutilizeddatafrom2011.
BalancingAuthoritiesthatarenotFERCjurisdictionalshouldusetheForm714Instructionstoassemble
andsubmitequivalentdatatotheEROforuseintheFROAllocationprocess.
BalancingAuthoritiesthatelecttoformaFRSGwillcalculateaFRSGFRObyaddingtogetherthe
individualBAFROs.
BalancingAuthoritiesthatelecttoformaFRSGasameanstojointlymeettheFROwillcalculatetheir
FRMperformanceoneoftwoways:
CalculateagroupNI
A
andmeasurethegroupresponsetoalleventsinthereportingyearona
singleFRSForm1,or
JointlysubmittheindividualBAsForm1s,withasummaryspreadsheetthatcontainsthesum
ofeachparticipantsindividualeventperformance.
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 10 of 12
BalancingAuthoritiesthatmergeorthattransferloadorgenerationareencouragedtonotifytheEROof
thechangeinfootprintandcorrespondingchangesinallocationsuchthatthenetobligationtothe
InterconnectionremainsthesameandsothatCPSlimitscanbeadjusted.
EachBalancingAuthorityreportsitspreviousyearsFrequencyResponseMeasure(FRM),Frequency
BiasSettingandFrequencyBiastype(fixedorvariable)totheEROeachyeartoallowtheEROtovalidate
therevisedFrequencyBiasSettingsonFRSForm1.IftheEROpoststheofficiallistofeventsafterthe
datespecifiedinthetimelinebelow,BalancingAuthoritieswillbegiven30daysfromthedatetheERO
poststheofficiallistofeventstosubmittheirFRSForm1.
OncetheEROreviewsthedatasubmittedinFRSForm1andFRSForm2forallBalancingAuthorities,
theEROwilluseFRSForm1datatopostthefollowinginformationforeachBalancingAuthorityforthe
upcomingyear:
FrequencyBiasSetting
FrequencyResponseObligation(FRO)
Oncethedatalistedaboveisfullyposted,theEROwillannouncethethreedayimplementationperiod
forchangingtheFrequencyBiasSettingifitdiffersfromthatshowninthetimelinebelow.
ABAusingafixedFrequencyBiasSettingsetsitsFrequencyBiasSettingtothegreaterof(inabsolute
value):
AnynumbertheBAchoosesbetween100%and125%ofitsFrequencyResponseMeasureas
calculatedonFRSForm1
InterconnectionMinimumasdeterminedbytheERO
ForpurposesofcalculatingtheminimumFrequencyBiasSetting,aBalancingAuthorityparticipatingina
FrequencyResponseSharingGroupwillneedtocalculateitsstandaloneFrequencyResponseMeasure
usingFRSForm1andFRSForm2todetermineitsminimumFrequencyBiasSetting.
ABalancingAuthorityprovidingOverlapRegulationwillreportthehistoricpeakdemandandgeneration
ofitscombinedBAsareasonFRSForm1asdescribedinRequirementR4.
ThereareoccasionswhenchangesareneededtoBiasSettingsoutsideofthenormalschedule.
ExamplesarefootprintchangesbetweenBalancingAuthoritiesandmajorchangesinloadorgeneration
ortheformationofnewBalancingAuthorities.InsuchcasesthechangingBalancingAuthoritieswill
workwiththeirRegions,NERCandtheResourcesSubcommitteetoconfirmappropriatechangestoBias
Settings,FRO,CPSlimitsandInadvertentInterchangebalances.
IfthereisnonetchangetotheInterconnectiontotalBias,theBalancingAuthoritiesinvolvedwillagree
onadatetoimplementtheirrespectivechangeinBiasSettings.TheBalancingAuthoritiesandEROwill
alsoagreetotheallocationofFROsuchthatthesumremainsthesame.
IfthereisanetchangetotheInterconnectiontotalBias,thiswillcauseachangeinCPS2limitsandFRO
forotherBalancingAuthoritiesintheInterconnection.Inthiscase,theEROwillnotifytheimpacted
BalancingAuthoritiesoftheirrespectivechangesandprovideanimplementationwindowformaking
theBiasSettingchanges.
Frequency Response Measure (FRM)
TheBalancingAuthoritywillcalculateitsFRMfromSingleEventFrequencyResponseData(SEFRD),
definedas:thedatafromanindividualeventfromaBalancingAuthoritythatisusedtocalculateits
Standard BAL-003-1 Frequency Response and Frequency Bias Setting
Page 11 of 12
FrequencyResponse,expressedinMW/0.1HzascalculatedonFRSForm2foreacheventshownonFRS
Form1.TheeventsinFRSForm1areselectedbytheEROusingtheProcedureforEROSupportof
FrequencyResponseandFrequencyBiasSettingStandard.TheSEFRDforatypicalBalancingAuthorityin
anInterconnectionwithmorethanoneBalancingAuthorityisbasicallythechangeinitsNetActual
InterchangeonitstielineswithitsadjacentBalancingAuthoritiesdividedbythechangein
Interconnectionfrequency.(SomeBalancingAuthoritiesmaychoosetoapplycorrectionstotheirNet
ActualInterchange(NA
I
)valuestoaccountforfactorssuchasnonconformingloads.FRSForm1and2
showsthetypesofadjustmentsthatareallowed.NotethatwiththeexceptionoftheContingentBA
column,anyadjustmentsmademustbemadeforalleventsinanevaluationyear.Asanexample,ifan
entityhasnonconformingloadsandmakesanadjustmentforoneevent,alleventsmustshowthenon
conformingload,evenifthenonconformingloaddoesnotimpactthecalculation.Thisensuresthatthe
reportsarenotutilizingtheadjustmentsonlywhentheyarefavorabletotheBA.)TheEROwillusea
standardizedsamplingintervalofapproximately16secondsbeforetheeventuptothetimeofthe
eventforthepreeventNA
I
,andfrequency(Avalues)andapproximately20to52secondsafterthe
eventfortheposteventNA
I
(Bvalues)inthecomputationofSEFRDvalues,dependentonthedatascan
rateoftheBalancingAuthoritysEnergyManagementSystem(EMS).
AlleventslistedonFRSForm1needtobeincludedintheannualsubmissionofFRSForms1and2.The
onlytimeaBalancingAuthorityshouldexcludeaneventisifitstielinedataoritsFrequencydatais
corruptoritsEMSwasunavailable.FRSForm2hasinstructionsonhowtocorrecttheBAsdataifthe
giveneventisinternaltotheBAorifotherauthorizedadjustmentsareused.
AssumingdataentryiscorrectFRSForm1willautomaticallycalculatetheBalancingAuthoritysFRMfor
thepast12monthsasthemedianoftheSEFRDvalues.ABalancingAuthorityelectingtoreportasan
FRSGoraproviderofOverlapRegulationServicewillprovideanFRSForm1fortheaggregateofits
participants.
ToallowBalancingauthoritiestoplanitsoperations,eventswithaPointCthatcausethe
InterconnectionFrequencytobelowerthanthatshowninTable1above(forexample,aneventinthe
EasternInterconnectionthatcausestheInterconnectionFrequencytogoto59.4Hz)orhigherthanan
equalchangeinfrequencygoingabove60Hzmaybeincludedinthelistofeventsforthat
interconnection.However,thecalculationoftheBAresponsetosuchaneventwillbeadjustedtoshow
afrequencychangeonlytotheTargetMinimumFrequencyshowninTable1above(intheprevious
examplethisadjustmentwouldcauseFrequencytobeshownas59.5Hzratherthan59.4HZ)orahigh
frequencyamountofanequalquantity.Shouldsuchaneventhappen,theEROwillprovideadditional
guidance.
Timeline for Balancing Authority Frequency Response and Frequency Bias Setting
Activities
DescribedbelowisthetimelinefortheexchangeofinformationbetweentheEROandBalancing
Authorities(BA)to:
FacilitatetheassignmentofBAFrequencyResponseObligations(FRO)
CalculateBAFrequencyResponseMeasures(FRM)
DetermineBAFrequencyBiasSettings(FBS)
=
NI
S
= Net Interchange Scheduled (MW).
Y = B
i
/ B
S.
H = Number of Hours used to payback Inadvertent Interchange Energy. The WECC
Performance Work Group has set the value of H to 3.
B
S
= Frequency Bias for the Interconnection (MW / 0.1 Hz).
II
peak on/off
primary
= is the Balancing Authoritys accumulated primary inadvertent interchange
in MWh. An On-Peak and Off-Peak accumulation accounting is required.
Where:
II
peak on/off
primary
= last periods
II
peak on/off
primary
+ (1-Y) * (II
actual
- B
i
* TE/6)
II
actual
is the hourly Inadvertent Interchange for the last hour.
TE is the hourly change in system Time Error as distributed by the Interconnection
Time Monitor.
Standard BAL-004-WECC-01 Automatic Time Error Correction
Adopted by Board of Trustees: March 26, 2008 2
Where:
TE = TE
end hour
TE
begin hour
TD
adj
(t)*(TE offset)
TD
adj
is any operator adjustment to the control center Time Error to correct for
differences with the time monitor.
t is the number of minutes of Manual Time Error Correction that occurred during the
hour.
TE offset is 0.000 or +0.020 or -0.020.
R1.1. The absolute value of the WECC Automatic Time Error Correction term is limited as
follows:
on/off peak
primary
max
(1-Y) H
II
L
Where L
max
is chosen by the Balancing Authority and is bounded as follows:
0.20 * |B
i
|
max
L L
10
L
10
is the Balancing Authority CPS2 limit in MW. If the WECC Automatic Time Error
Correction term is less than the upper limit, use the calculated WECC Automatic Time
Error Correction term.
R1.2. Large accumulations of primary inadvertent point to an invalid implementation of
ATEC, loose control, metering or accounting errors. A BA in such a situation should
identify the source of the error(s) and make the corrections, recalculate the primary
inadvertent from the time of the error, adjust the accumulated primary inadvertent
caused by the error(s), validate the implementation of ATEC, set L
max
equal to L
10
and
continue to operate with ATEC reducing the accumulation as system parameters allow.
R2. Each BA that is synchronously connected to the Western Interconnection and operates in any
AGC operating mode other than ATEC shall notify all other BAs of its operating mode
through the designated Interconnection communication system. Each BA while synchronously
connected to the Western Interconnection will be allowed to have ATEC out of service for a
maximum of 24 hours per calendar quarter, for reasons including maintenance and testing.
[Risk Factor: Lower]
R3. BAs in the Western Interconnection shall be able to change their AGC operating mode
between Flat Frequency (for blackout restoration); Flat Tie Line (for loss of frequency
telemetry); Tie Line Bias; Tie Line Bias plus Time Error control (used in ATEC mode). The
ACE used for NERC reports shall be the same ACE as the AGC operating mode in use. [Risk
Factor: Lower]
R4. Regardless of the AGC operating mode each BA in the Western Interconnection shall compute
its hourly Primary Inadvertent Interchange when hourly checkout is complete. If hourly
checkout is not complete by 50 minutes after the hour, compute Primary Inadvertent
Interchange with best available data. This hourly value shall be added to the appropriate
accumulated Primary Inadvertent Interchange balance for either On-Peak or Off-Peak periods.
[Risk Factor: Lower]
R4.1. Each BA in the Western Interconnection shall use the change in Time Error distributed
by the Interconnection Time Monitor.
R4.2. All corrections to any previous hour Primary Inadvertent Interchange shall be added to
the appropriate On- or Off-Peak accumulated Primary Inadvertent Interchange.
Standard BAL-004-WECC-01 Automatic Time Error Correction
Adopted by Board of Trustees: March 26, 2008 3
R4.3. Month end Inadvertent Adjustments are 100% Primary Inadvertent Interchange and
shall be added to the appropriate On- or Off-Peak accumulated Primary Inadvertent
Interchange, unless such adjustments can be pinpointed to specific hours in which case
R4.2 applies.
R4.4. Each BA in the Western Interconnection shall synchronize its Time Error to the nearest
0.001 seconds of the system Time Error by comparing its reading at the designated
time each day to the reading broadcast by the Interconnection Time Monitor. Any
difference shall be applied as an adjustment to its current Time Error.
C. Measures
M1. For Requirement R1, a BA shall provide upon request a document showing that it is correctly
calculating its hourly Primary Inadvertent Interchange number that is used to calculate its
accumulated Primary Inadvertent Interchange and how it is used in its ACE equation for
Automatic Time Error Correction.
M2. For Requirement R2, a BA shall record the date, time, reason, and notification [to other BAs
within the Western Interconnection] for any time it is not operating utilizing Automatic Time
Error Correction (ATEC) in its AGC system.
M3. For Requirement R3, a BA in the Western Interconnection must be able to demonstrate its
ability to change its AGC operating mode when requested or during compliance audits and
readiness reviews.
M4. For Requirement R4, a BA in the Western Interconnection must record its hourly Primary
Inadvertent Interchange and keep an accurate record of its accumulation of Primary
Inadvertent Interchange for both On-Peak and Off-Peak accounts. These records must be
available for review when requested or during compliance audits and readiness reviews.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Entity
Compliance Monitoring Period and Reset time Frame
The reporting period for ATEC is one calendar quarter, starting on the first second of the quarter
and ending on the final second of the quarter.
The Performance-reset Period is one calendar quarter.
1.2. Data Retention
Each Balancing Authority in the Western Interconnection shall retain its hourly calculation of
total and Primary Inadvertent Interchange calculated hourly, as well as the amount of Primary
Inadvertent paid back hourly for the preceding calendar year (January December) plus the
current year.
Each Balancing Authority in the Western Interconnection shall retain its total accumulated
Inadvertent and total Primary Inadvertent, updated hourly, for On- and Off-Peak for the
preceding calendar year (January December) plus the current year.
Standard BAL-004-WECC-01 Automatic Time Error Correction
Adopted by Board of Trustees: March 26, 2008 4
Each Balancing Authority in the Western Interconnection shall retain its record of the amount of
time it operated without ATEC and the notification to the Interconnection of these times for the
preceding calendar year (January December) plus the current year.
The Compliance Monitor shall retain audit data for three calendar years.
1.3. Additional Compliance Information
The Compliance Monitor shall use quarterly data to monitor compliance. The Compliance
Monitor may also use periodic audits (on site, per a schedule), with spot reviews and
investigations initiated in response to a complaint to assess performance.
The Balancing Authority in the Western Interconnection shall have the following documentation
available for its Compliance Monitor to inspect during a scheduled, on-site review or within five
business days of a request as part of a triggered investigation:
1.3.1. Source data for calculating Primary Inadvertent.
1.3.2. Data showing On- and Off-Peak Primary Inadvertent accumulations.
1.3.3. Data showing hourly payback of Primary Inadvertent.
1.3.4. Documentation on number of times not on ATEC and reasons for going off ATEC.
2. Violation Severity Levels
2.1. Lower: Time not in ATEC Mode greater than one day and less than or equal to three days, or if
a Balancing Authority in the Western Interconnection operates without ATEC and does not
notify other Balancing Authorities in the Western Interconnection 2 times in quarter.
2.2. Moderate: Time not in ATEC Mode greater than three days and less than or equal to five days,
or if a Balancing Authority in the Western Interconnection operates without ATEC and does not
notify other Balancing Authorities in the Western Interconnection 3 times in quarter.
2.3. High: Time not in ATEC Mode greater than five days and less than or equal to seven days, or if
a Balancing Authority in the Western Interconnection operates without ATEC and does not
notify other Balancing Authorities in the Western Interconnection 4 times in quarter.
2.4. Severe: Time not in ATEC Mode greater than seven days, or if a Balancing Authority in the
Western Interconnection operates without ATEC and does not notify other Balancing Authorities
in the Western Interconnection more than 4 times in quarter or Balancing Authority in the
Western Interconnection cannot change AGC operating mode or Balancing Authority in the
Western Interconnection incorrectly calculates Primary Inadvertent.
Standard BAL-004-WECC-01 Automatic Time Error Correction
Adopted by Board of Trustees: March 26, 2008 5
Version History
Version Date Action Change Tracking
1 February 4, 2003 Effective Date. New
1 October 17, 2006 Created Standard from Procedure. Errata
1 February 6, 2007 Changed the Standard Version from 0 to 1
in the Version History Table.
Errata
1 February 6, 2007 The upper limit bounds to the amount of
Automatic Time Error Correction term was
inadvertently omitted during the Standard
Translation. The bound was added to the
requirement R1.4.
Errata
1 February 6, 2007 The statement The Time Monitor may
declare offsets in 0.001-second
increments was moved from TEoffset to
TDadj and offsets was corrected to
adjustments.
Errata
1 February 6, 2007 The reference to seconds was deleted from
the TE offset term.
Errata
1 June 19, 2007 The standard number BAL-STD-004-1
was changed to BAL-004-WECC-01 to be
consistent with the NERC Regional
Reliability Standard Numbering
Convention.
Errata
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 1 of 12
A. Introduction
1. Title: Automatic Time Error Correction
2. Number: BAL-004-WECC-02
3. Purpose: To maintain Interconnection frequency and to ensure that Time Error
Corrections and Primary Inadvertent Interchange (PII) payback are effectively conducted
in a manner that does not adversely affect the reliability of the Interconnection.
4. Applicability
4.1. Functional Entities
4.1.1 Balancing Authorities that operate synchronously in the Western
Interconnection.
5. Effective Date: On the first day of the second quarter, after applicable regulatory
approval has been received (or the Reliability Standard otherwise becomes effective the
first day of the fourth quarter following NERC Board adoption where regulatory
approval is not required).
6. Background:
In February 2003, the WECC Automatic Time Error Correction (ATEC) Procedure
(Procedure) became effective for all Balancing Authorities in the Western
Interconnection. The original intent of the Procedure was to minimize the number of
Manual Time Error Corrections in the Western Interconnection. ATEC provides the
added benefit of a superior approach over the current NERC Reliability Standard BAL-
004-0 Time Error Correction for assigning costs and providing for the equitable
payback of Inadvertent Interchange. In October 2006, the Procedure became a WECC
Criterion. In May 2009, FERC issued Order No.723 that approved Regional Reliability
Standard BAL-004-WECC-1 - Automatic Time Error Correction, as submitted by NERC. In
addition, the Commission directed WECC to develop several clarifying modifications to
BAL-004-WECC-1 using the FERC-approved Process for Developing and Approving WECC
Standards. The Effective Date of the BAL-004-WECC-1 standard was July 1, 2009. BAL-
004-WECC-1 required Balancing Authorities within the Western Interconnection to
maintain Interconnection frequency within a predefined frequency profile and to ensure
that Time Error Corrections were effectively conducted in a manner that did not
adversely affect the reliability of the Interconnection. In September 2009, WECC
received WECC Standards/Regional Criterion Request Form (Request) WECC-0068,
which was a request for modification of BAL-004-WECC-1. In July 2010, the chair of the
WECC Operating Committee assigned the Request to the Performance Work Group
(PWG) for development.
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 2 of 12
B. Requirements and Measures
R1. Following the conclusion of each month each Balancing Authority shall verify that the
absolute value of its Accumulated Primary Inadvertent Interchange (PII
accum
) for both
the monthly On-Peak period and the monthly Off-Peak period are each individually less
than or equal to:
1.1. For load-serving Balancing Authorities, 150% of the previous calendar years
integrated hourly Peak Demand,
1.2. For generation-only Balancing Authorities, 150% of the previous calendar years
integrated hourly peak generation.
[Violation Risk Factor Medium:] [Time Horizon: Operations Assessment]
M1. Forms of acceptable evidence of compliance with Requirement R1include but are
not limited to any one of the following:
Data, screen shots from the WECC Interchange Tool (WIT),
Data, screen shots from the internal Balancing Authority tool, or
Production of data from any other databases, spreadsheets, displays.
R2. Each Balancing Authority shall, upon discovery of an error in the calculation of PII
hourly
,
recalculate within 90 days, the value of PII
hourly
and adjust the PII
accum
from the time of
the error. [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
M2. Forms of acceptable evidence of compliance with Requirement R2 include but are
not limited to any one of the following:
Data, screen shots from the WIT,
Data, screen shots from the internal Balancing Authority tool, or
Production of data from any other databases, spreadsheets, displays.
R3. Each Balancing Authority shall keep its Automatic Time Error Correction (ATEC) in
service, with an allowable exception period of less than or equal to an accumulated 24
hours per calendar quarter for ATEC to be out of service. [Violation Risk Factor:
Medium] [Time Horizon: Same-day Operations]
M3. Forms of acceptable evidence of compliance with Requirement R3 may include,
but are not limited to:
Dated archived files,
Historical data,
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 3 of 12
Other data that demonstrates the ATEC was out of service for less than 24
hours per calendar quarter.
R4. Each Balancing Authority shall compute the following by 50 minutes after each hour:
4.1. PII
hourly
,
4.2. PII
accum
,
4.3. Automatic Time Error Correction term (I
ATEC
).
[Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
M4. Forms of acceptable evidence of compliance with Requirement R4 include but are
not limited to any one of the following:
Data, screen shots from the WECC Interchange Tool that demonstrate
compliance,
Data, screen shots from internal Balancing Authority tool that demonstrate
compliance, or
Data from any other databases, spreadsheets, displays that demonstrate
compliance.
R5. Each Balancing Authority shall be able to change its Automatic Generation Control
operating mode between Flat Frequency (for blackout restoration); Flat Tie Line (for
loss of frequency telemetry); Tie Line Bias; and Tie Line Bias plus Time Error Control
(used in ATEC mode), to correspond to current operating conditions. [Violation Risk
Factor: Medium] [Time Horizon: Real-Time Operations]
M5. Forms of acceptable evidence of compliance with Requirement R5 include but are
not limited to any one of the following:
Screen shots from Energy Management System,
Demonstration using an off-line system.
R6. Each Balancing Authority shall recalculate the PII
hourly
and PII
accum
for the On-Peak and
Off-Peak periods whenever adjustments are made to hourly Inadvertent Interchange or
TE. [Violation Risk Factor: Medium] [Time Horizon: Operations Assessment]
M6. Forms of acceptable evidence of compliance with Requirement R6 include but are
not limited to any one of the following:
Data, screen shots from the WECC Interchange Tool that demonstrate
compliance,
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 4 of 12
Data, screen shots from an internal Balancing Authority tool that
demonstrate compliance with, or
Data from any other databases, spreadsheets, displays that demonstrate
compliance.
R7. Each Balancing Authority shall make the same adjustment to the PII
accum
as it did for any
month-end meter reading adjustments to Inadvertent Interchange. [Violation Risk
Factor: Medium] [Time Horizon: Operations Assessment]
M7. Forms of acceptable evidence of compliance with Requirement R7 include but are
not limited to any one of the following:
Data, screen shots from the WECC Interchange Tool that demonstrate
compliance,
Data, screen shots from an internal Balancing Authority tool that
demonstrate compliance,
Production of data from any other databases, spreadsheets, displays that
demonstrate compliance.
R8. Each Balancing Authority shall payback Inadvertent Interchange using ATEC rather than
bilateral and unilateral payback. [Violation Risk Factor: Medium] [Time Horizon:
Operations Assessment]
M8. Forms of acceptable evidence of compliance with Requirement R8 include but are
not limited to historical On-Peak and Off-Peak Inadvertent Interchange data, data
from the WECC Interchange Tool, and ACE data.
C. Compliance
1. Compliance Monitoring Process
1.1 Compliance Enforcement Authority
The Regional Entity shall serve as the Compliance Enforcement Authority.
For entities that do not work for the Regional Entity, the Regional Entity shall serve
as the Compliance Enforcement Authority.
For Reliability Coordinators and other functional entities that work for their
Regional Entity, the ERO or a Regional Entity approved by the ERO and FERC or
other applicable governmental authorities shall serve as the Compliance
Enforcement Authority.
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 5 of 12
For responsible entities that are also Regional Entities, the ERO or a Regional Entity
approved by the ERO and FERC or other applicable governmental authorities shall
serve as the Compliance Enforcement Authority.
1.2 Compliance Monitoring and Assessment Processes:
Compliance Audits
Self-Certifications
Spot Checking
Compliance Investigations
Self-Reporting
Complaints
1.3 Evidence Retention
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to provide
other evidence to show that it was compliant for the full time period since the last
audit.
Each Balancing Authority in the Western Interconnection shall retain the values of
PII
hourly
,
PII
accum
(On-Peak and Off-Peak), TE and any month-end adjustments for
the preceding calendar year (January December), as well as the current calendar
year.
Each Balancing Authority in the Western Interconnection shall retain the amount of
time the Balancing Authority operated without ATEC for the preceding calendar
year (January December), as well as the current calendar year.
1.4 Additional Compliance Information
None
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 6 of 12
Table of Compliance Elements
R # Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
R1 Operations
Assessment
Medium Following the
conclusion of each
month each Balancing
Authoritys absolute
value of PII
accum
for
either the On-Peak
period or Off-Peak
period exceeded
150%, but was less
than or equal to 160%
of the previous
calendar years Peak
Demand or peak
generation for
generation-only
Balancing Authorities.
Following the
conclusion of each
month each Balancing
Authoritys absolute
value of PII
accum
for
either the On-Peak
period or Off-Peak
period exceeded
160%, but was less
than or equal to 170%
of the previous
calendar years Peak
Demand or peak
generation for
generation-only
Balancing Authorities.
Following the
conclusion of each
month each Balancing
Authoritys absolute
value of PII
accum
for
either the On-Peak
period or Off-Peak
period exceeded
170%, but was less
than or equal to 180%
of the previous
calendar years Peak
Demand or peak
generation for
generation-only
Balancing Authorities.
Following the
conclusion of each
month each Balancing
Authoritys absolute
value of PII
accum
for
either the On-Peak
period or Off-Peak
period exceeded 180%
of the previous
calendar years Peak
Demand or peak
generation for
generation-only
Balancing Authorities.
R2
Operations
Assessment
Medium The Balancing
Authority did not
recalculate PII
hourly
and adjust the PII
accum
within 90 days of the
discovery of the error;
but made the
required
recalculations and
adjustments within
120 days.
The Balancing
Authority did not
recalculate PII
hourly
and
adjust the PII
accum
within 120 days of the
discovery of the error;
but made the required
recalculations and
adjustments within
150 days.
The Balancing
Authority did not
recalculate PII
hourly
and
adjust the PII
accum
within 150 days of the
discovery of the error;
but made the required
recalculations and
adjustments within
180 days.
The Balancing
Authority did not
recalculate PII
hourly
and
adjust PII
accum
within
180 days of the
discovery of the error.
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 7 of 12
R # Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
R3 Real-Time
Operations
Medium The Balancing
Authority operated
during a calendar
quarter without ATEC
in service for more
than an accumulated
24 hours, but less than
or equal to 72 hours.
The Balancing
Authority operated
during a calendar
quarter without ATEC
in service for more
than an accumulated
72 hours, but less than
or equal to 120 hours.
The Balancing
Authority operated
during a calendar
quarter without ATEC
in service for more
than an accumulated
120 hours, but less
than or equal to 168
hours
The Balancing
Authority operated
during a calendar
quarter without ATEC
in service for more
than an accumulated
168 hours.
R4 Operations
Assessment
Medium The Balancing
Authority did not
compute PII
hourly
,
PII
accum
, and I
ATEC
within 50 minutes, but
made the required
calculations in less
than or equal to two
hours.
The Balancing
Authority did not
compute PII
hourly
,
PII
accum
, and I
ATEC
within two hours, but
made the required
calculations in less
than or equal to four
hours.
The Balancing
Authority did not
compute PII
hourly
,
PII
accum
, and I
ATEC
within four hours, but
made the required
calculations in less
than or equal to six
hours.
The Balancing
Authority did not
compute PII
hourly
,
PII
accum
, and I
ATEC
within six hours.
R5 Real-Time
Operations
Medium N/A N/A N/A The Balancing
Authority is not able
to change its AGC
operating mode
between Flat
Frequency (for
blackout restoration;
Flat Tie Line (for loss
of frequency
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 8 of 12
R # Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
telemetry); Tie Line
Bias; or Tie Line Bias
plus Time Error
control (used in ATEC
mode).
R6 Operations
Assessment
Medium N/A N/A N/A When making
adjustments to hourly
Inadvertent
Interchange or TE,
the Balancing
Authority did not
recalculate the PII
hourly
and the PII
accum
for the
On-Peak and Off-Peak
periods.
R7 Operations
Assessment
Medium N/A N/A N/A When making any
month-end meter
reading adjustments
to Inadvertent
Interchange, the
Balancing Authority
did not make the
same adjustment to
the PII
accum
.
R8 Operations
Assessment
Medium N/A N/A N/A The Balancing
Authority paid back
Inadvertent
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 9 of 12
R # Time
Horizon
VRF Violation Severity Levels
Lower VSL Moderate VSL High VSL Severe VSL
Interchange using
bilateral and unilateral
payback rather than
using ATEC.
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 10 of 12
Guidelines and Technical Basis
During development of this standard, text boxes were embedded within the standard to explain the
rationale for various parts of the standard. Upon BOT approval, the text from the rationale text boxes
was moved to this section.
Requirement R1:
Premise: Each Balancing Authority should ensure that the absolute value of its PII
accum
for both the On-
Peak period and the Off-Peak period each individually does not exceed 150% of the previous years
Peak Demand for load-serving Balancing Authorities and 150% of the previous years peak generation
for generation-only Balancing Authorities. The Balancing Authority is required to take action to keep
each PII
accum
period within the limit. For example, the Balancing Authorities actions may include:
Identifying and correcting the source of any metering or accounting error(s) and recalculating
the hourly Primary Inadvertent Interchange (PII
hourly
) and the PII
accum
from the time of the error;
Validating the implementation of ATEC; or
Setting L
max
equal to L
10.
until the PII
accum
is below the limit in Requirement R1.
Justification: PII
accum
may grow from month-end adjustments and metering errors, even with the
inclusion of I
ATEC
in the ACE equation.
Goal: To limit the amount of PII
accum
that a Balancing Authority can have at the end of each month.
Requirement R2:
Premise: When a Balancing Authority finds an error in the calculation of its PII, the Balancing Authority
needs time to correct the error and recalculate PII and PII
accum
.
Justification: The drafting team selected 90 days as a reasonable amount of time to correct an error
and recalculate PII and PII
accum,
since recalculation of PII and PII
accum
is not a real-time operations
reliability issue.
Goal: To promote the timely correction of errors in the calculation of PII and PII
accum
.
Requirement R3:
Premise: When a Balancing Authority is not participating in ATEC, payback of PII
accum
is delayed.
Justification: The limit of 24 hours per quarter discourages a Balancing Authority from withdrawing
ATEC participation, for example, for economic gain during selected hours. If the limits were increased
to 60 hours, a Balancing Authority could technically withdraw ATEC participation for one hour from
Monday to Friday.
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 11 of 12
Goal: To promote fair and timely payback of PII
accum
balances.
Requirement R4:
Premise: PII
hourly
, PII
accum
, and I
ATEC
should be determined before the next scheduling hour begins.
Justification: To promote timely calculations 50 minutes was selected because it is before the next hour
ramp begins and permits time to collect the data and resolve interchange metering values.
Goal: To promote the timely calculation of PII
hourly
, PII
accum
, and I
ATEC
.
Requirement R5:
Premise: The ACE equation, and hence the AGC mode, will contain any number of parameters based
on system operating conditions. Various AGC modes are identified corresponding to those operating
conditions, as well as the specific sets of parameters included in the ACE equation.
Justification: Changing to the proper operating mode, corresponding to current operating conditions,
affords proper movement of generating units in response to those conditions. The addition of the ATEC
term results in an additional AGC mode and a different set of parameters. The inability to correctly
calculate the ATEC term would dictate that AGC not be operated in the ATEC mode.
Goal: To set the AGC mode and calculate ACE in a manner that corresponds to the system operating
conditions and to accommodate changes in those conditions.
Requirement R6:
Premise: Hourly adjustments to hourly Inadvertent Interchange (II) require a recalculation of the
corresponding hourly PII value, the corresponding PII
accum
, and all subsequent PII
accum
for every hour up
to the current hour.
Justification: As PII
hourly
is corrected, then PII
accum
should be recalculated.
Goal: To promote accurate, fair and timely payback of accumulated PII balances.
Requirement R7:
Premise: Month-end meter-reading adjustments are made, for example, when a Balancing Authority
performs monthly comparisons of recorded month-end Net Actual Interchange (NI
A
) values derived
from hourly Actual Interchange Telemetered Values against month-end Actual Interchange Register
Meter readings.
Justification: Month-end adjustments to II
accum
are applied as 100% PII
accum
. 100% was chosen for
simplicity to bilaterally assign PII
accum
to both Balancing Authorities, since the effect of this metering
error on system frequency is not easily determined over the course of a month.
WECC Standard BAL-004-WECC-02 Automatic Time Error Correction
Page 12 of 12
Goal: To provide a mechanism by which corresponding month-end II adjustments can be applied to
PII
accum
, when such adjustments cannot be attributed to any one particular hour or series of hours.
Requirement R8:
Premise: ATEC includes automatic unilateral payback of Primary Inadvertent Interchange and
Secondary Inadvertent Interchange.
Justification: Additional unilateral and bilateral exchanges disturb the balance and distribution
between Primary Inadvertent Interchange and Secondary Inadvertent Interchange throughout the
Interconnection; thereby stranding Secondary Inadvertent Interchange.
Goal: To not strand Secondary Inadvertent Interchange.
Version History
Version Date Action Change Tracking
1 February 4, 2003 Effective Date. New
1 October 17, 2006 Created Standard from Procedure. Errata
1 February 6, 2007 Changed the Standard Version from
0 to 1 in the Version History Table.
Errata
1 February 6, 2007 The upper limit bounds to the
amount of Automatic Time Error
Correction term was inadvertently
omitted during the Standard
Translation. The bound was added
to the requirement R1.4.
Errata
1 February 6, 2007 The statement The Time Monitor
may declare offsets in 0.001-second
increments was moved from
TEoffset to TDadj and offsets was
corrected to adjustments.
Errata
1 February 6, 2007 The reference to seconds was
deleted from the TE offset term.
Errata
1 June 19, 2007 The standard number BAL-STD-004-
1 was changed to BAL-004-WECC-01
to be consistent with the NERC
Regional Reliability Standard
Numbering Convention.
Errata
2 December 19, 2012 Adopted by NERC Board of Trustees
Standard BAL-005-0.2b Automatic Generation Control
Page 1 of 6
A. Introduction
1. Title: Automatic Generation Control
2. Number: BAL-005-0.2b
3. Purpose: This standard establishes requirements for Balancing Authority Automatic
Generation Control (AGC) necessary to calculate Area Control Error (ACE) and to routinely
deploy the Regulating Reserve. The standard also ensures that all facilities and load
electrically synchronized to the Interconnection are included within the metered boundary of a
Balancing Area so that balancing of resources and demand can be achieved.
4. Applicability:
4.1. Balancing Authorities
4.2. Generator Operators
4.3. Transmission Operators
4.4. Load Serving Entities
5. Effective Date: May 13, 2009
B. Requirements
R1. All generation, transmission, and load operating within an Interconnection must be included
within the metered boundaries of a Balancing Authority Area.
R1.1. Each Generator Operator with generation facilities operating in an Interconnection
shall ensure that those generation facilities are included within the metered boundaries
of a Balancing Authority Area.
R1.2. Each Transmission Operator with transmission facilities operating in an
Interconnection shall ensure that those transmission facilities are included within the
metered boundaries of a Balancing Authority Area.
R1.3. Each Load-Serving Entity with load operating in an Interconnection shall ensure that
those loads are included within the metered boundaries of a Balancing Authority Area.
R2. Each Balancing Authority shall maintain Regulating Reserve that can be controlled by AGC to
meet the Control Performance Standard. (Retirement approved by NERC BOT pending
applicable regulatory approval.)
R3. A Balancing Authority providing Regulation Service shall ensure that adequate metering,
communications, and control equipment are employed to prevent such service from becoming
a Burden on the Interconnection or other Balancing Authority Areas.
R4. A Balancing Authority providing Regulation Service shall notify the Host Balancing
Authority for whom it is controlling if it is unable to provide the service, as well as any
Intermediate Balancing Authorities.
R5. A Balancing Authority receiving Regulation Service shall ensure that backup plans are in
place to provide replacement Regulation Service should the supplying Balancing Authority no
longer be able to provide this service.
R6. The Balancing Authoritys AGC shall compare total Net Actual Interchange to total Net
Scheduled Interchange plus Frequency Bias obligation to determine the Balancing Authoritys
ACE. Single Balancing Authorities operating asynchronously may employ alternative ACE
calculations such as (but not limited to) flat frequency control. If a Balancing Authority is
unable to calculate ACE for more than 30 minutes it shall notify its Reliability Coordinator.
Standard BAL-005-0.2b Automatic Generation Control
Page 2 of 6
R7. The Balancing Authority shall operate AGC continuously unless such operation adversely
impacts the reliability of the Interconnection. If AGC has become inoperative, the Balancing
Authority shall use manual control to adjust generation to maintain the Net Scheduled
Interchange.
R8. The Balancing Authority shall ensure that data acquisition for and calculation of ACE occur at
least every six seconds.
R8.1. Each Balancing Authority shall provide redundant and independent frequency metering
equipment that shall automatically activate upon detection of failure of the primary
source. This overall installation shall provide a minimum availability of 99.95%.
R9. The Balancing Authority shall include all Interchange Schedules with Adjacent Balancing
Authorities in the calculation of Net Scheduled Interchange for the ACE equation.
R9.1. Balancing Authorities with a high voltage direct current (HVDC) link to another
Balancing Authority connected asynchronously to their Interconnection may choose to
omit the Interchange Schedule related to the HVDC link from the ACE equation if it is
modeled as internal generation or load.
R10. The Balancing Authority shall include all Dynamic Schedules in the calculation of Net
Scheduled Interchange for the ACE equation.
R11. Balancing Authorities shall include the effect of ramp rates, which shall be identical and
agreed to between affected Balancing Authorities, in the Scheduled Interchange values to
calculate ACE.
R12. Each Balancing Authority shall include all Tie Line flows with Adjacent Balancing Authority
Areas in the ACE calculation.
R12.1. Balancing Authorities that share a tie shall ensure Tie Line MW metering is
telemetered to both control centers, and emanates from a common, agreed-upon source
using common primary metering equipment. Balancing Authorities shall ensure that
megawatt-hour data is telemetered or reported at the end of each hour.
R12.2. Balancing Authorities shall ensure the power flow and ACE signals that are utilized for
calculating Balancing Authority performance or that are transmitted for Regulation
Service are not filtered prior to transmission, except for the Anti-aliasing Filters of Tie
Lines.
R12.3. Balancing Authorities shall install common metering equipment where Dynamic
Schedules or Pseudo-Ties are implemented between two or more Balancing
Authorities to deliver the output of Jointly Owned Units or to serve remote load.
R13. Each Balancing Authority shall perform hourly error checks using Tie Line megawatt-hour
meters with common time synchronization to determine the accuracy of its control equipment.
The Balancing Authority shall adjust the component (e.g., Tie Line meter) of ACE that is in
error (if known) or use the interchange meter error (I
ME
) term of the ACE equation to
compensate for any equipment error until repairs can be made.
R14. The Balancing Authority shall provide its operating personnel with sufficient instrumentation
and data recording equipment to facilitate monitoring of control performance, generation
response, and after-the-fact analysis of area performance. As a minimum, the Balancing
Authority shall provide its operating personnel with real-time values for ACE, Interconnection
frequency and Net Actual Interchange with each Adjacent Balancing Authority Area.
R15. The Balancing Authority shall provide adequate and reliable backup power supplies and shall
periodically test these supplies at the Balancing Authoritys control center and other critical
Standard BAL-005-0.2b Automatic Generation Control
Page 3 of 6
locations to ensure continuous operation of AGC and vital data recording equipment during
loss of the normal power supply.
R16. The Balancing Authority shall sample data at least at the same periodicity with which ACE is
calculated. The Balancing Authority shall flag missing or bad data for operator display and
archival purposes. The Balancing Authority shall collect coincident data to the greatest
practical extent, i.e., ACE, Interconnection frequency, Net Actual Interchange, and other data
shall all be sampled at the same time.
R17. Each Balancing Authority shall at least annually check and calibrate its time error and
frequency devices against a common reference. The Balancing Authority shall adhere to the
minimum values for measuring devices as listed below:
Device Accuracy
Digital frequency transducer 0.001 Hz
MW, MVAR, and voltage transducer 0.25 % of full scale
Remote terminal unit 0.25 % of full scale
Potential transformer 0.30 % of full scale
Current transformer 0.50 % of full scale
C. Measures
Not specified.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Balancing Authorities shall be prepared to supply data to NERC in the format defined
below:
1.1.1. Within one week upon request, Balancing Authorities shall provide NERC or
the Regional Reliability Organization CPS source data in daily CSV files with
time stamped one minute averages of: 1) ACE and 2) Frequency Error.
1.1.2. Within one week upon request, Balancing Authorities shall provide NERC or
the Regional Reliability Organization DCS source data in CSV files with time
stamped scan rate values for: 1) ACE and 2) Frequency Error for a time
period of two minutes prior to thirty minutes after the identified Disturbance.
1.2. Compliance Monitoring Period and Reset Timeframe
Not specified.
1.3. Data Retention
1.3.1. Each Balancing Authority shall retain its ACE, actual frequency, Scheduled
Frequency, Net Actual Interchange, Net Scheduled Interchange, Tie Line
meter error correction and Frequency Bias Setting data in digital format at the
same scan rate at which the data is collected for at least one year.
1.3.2. Each Balancing Authority or Reserve Sharing Group shall retain
documentation of the magnitude of each Reportable Disturbance as well as
the ACE charts and/or samples used to calculate Balancing Authority or
Standard BAL-005-0.2b Automatic Generation Control
Page 4 of 6
Reserve Sharing Group disturbance recovery values. The data shall be
retained for one year following the reporting quarter for which the data was
recorded.
1.4. Additional Compliance Information
Not specified.
2. Levels of Non-Compliance
Not specified.
E. Regional Differences
None identified.
F. Associated Documents
1. Appendix 1 Interpretation of Requirement R17 (February 12, 2008).
Version History
Version Date Action Change Tracking
0 February 8, 2005 Adopted by NERC Board of Trustees New
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
0a December 19, 2007 Added Appendix 1 Interpretation of R17
approved by BOT on May 2, 2007
Addition
0a January 16, 2008 Section F: added 1.; changed hyphen to en
dash. Changed font style for Appendix 1 to
Arial
Errata
0b February 12, 2008 Replaced Appendix 1 Interpretation of R17
approved by BOT on February 12, 2008 (BOT
approved retirement of Interpretation included in
BAL-005-0a)
Replacement
0.1b October 29, 2008 BOT approved errata changes; updated version
number to 0.1b
Errata
0.1b May 13, 2009 FERC approved Updated Effective Date Addition
0.2b March 8, 2012 Errata adopted by Standards Committee; (replaced
Appendix 1 with the FERC-approved revised
interpretation of R17 and corrected standard
version referenced in Interpretation by changing
from BAL-005-1 to BAL-005-0)
Errata
0.2b September 13, 2012 FERC approved Updated Effective Date Addition
0.2b February 7, 2013 R2 and associated elements approved by NERC
Board of Trustees for retirement as part of the
Paragraph 81 project (Project 2013-02) pending
applicable regulatory approval.
Standard BAL-005-0.2b Automatic Generation Control
Page 5 of 6
Appendix 1
Effective Date: August 27, 2008 (U.S.)
Interpretation of BAL-005-0 Automatic Generation Control, R17
Request for Clarification received from PGE on July 31, 2007
PGE requests clarification regarding the measuring devices for which the requirement applies,
specifically clarification if the requirement applies to the following measuring devices:
Only equipment within the operations control room
Only equipment that provides values used to calculate AGC ACE
Only equipment that provides values to its SCADA system
Only equipment owned or operated by the BA
Only to new or replacement equipment
To all equipment that a BA owns or operates
BAL-005-0
R17. Each Balancing Authority shall at least annually check and calibrate its time error and frequency
devices against a common reference. The Balancing Authority shall adhere to the minimum values for
measuring devices as listed below:
Device Accuracy
Digital frequency transducer 0.001 Hz
MW, MVAR, and voltage transducer 0.25% of full scale
Remote terminal unit 0.25% of full scale
Potential transformer 0.30% of full scale
Current transformer 0.50% of full scale
Existing Interpretation Approved by Board of Trustees May 2, 2007
BAL-005-0, Requirement 17 requires that the Balancing Authority check and calibrate its control room
time error and frequency devices against a common reference at least annually. The requirement to
annually check and calibrate does not address any devices outside of the operations control room.
The table represents the design accuracy of the listed devices. There is no requirement within the standard
to annually check and calibrate the devices listed in the table, unless they are included in the control
center time error and frequency devices.
Interpretation provided by NERC Frequency Task Force on September 7, 2007 and Revised on
November 16, 2007
As noted in the existing interpretation, BAL-005-0 Requirement 17 applies only to the time error and
frequency devices that provide, or in the case of back-up equipment may provide, input into the reporting
or compliance ACE equation or provide real-time time error or frequency information to the system
operator. Frequency inputs from other sources that are for reference only are excluded. The time error and
frequency measurement devices may not necessarily be located in the system operations control room or
owned by the Balancing Authority; however the Balancing Authority has the responsibility for the
accuracy of the frequency and time error measurement devices. No other devices are included in R 17.
Standard BAL-005-0.2b Automatic Generation Control
Page 6 of 6
The other devices listed in the table at the end of R17 are for reference only and do not have any
mandatory calibration or accuracy requirements.
New or replacement equipment that provides the same functions noted above requires the same
calibrations. Some devices used for time error and frequency measurement cannot be calibrated as such.
In this case, these devices should be cross-checked against other properly calibrated equipment and
replaced if the devices do not meet the required level of accuracy.
Standard BAL-006-2 Inadvertent Interchange
1
A. Introduction
1. Title: Inadvertent Interchange
2. Number: BAL-006-2
3. Purpose:
This standard defines a process for monitoring Balancing Authorities to ensure that, over the
long term, Balancing Authority Areas do not excessively depend on other Balancing Authority
Areas in the Interconnection for meeting their demand or Interchange obligations.
4. Applicability:
4.1. Balancing Authorities.
5. Effective Date: First day of first calendar quarter after applicable regulatory approval,
or in those jurisdictions where no regulatory approval is required, first day of first calendar
quarter after Board of Trustees adoption.
B. Requirements
R1. Each Balancing Authority shall calculate and record hourly Inadvertent Interchange.
(Violation Risk Factor: Lower)
R2. Each Balancing Authority shall include all AC tie lines that connect to its Adjacent Balancing
Authority Areas in its Inadvertent Interchange account. The Balancing Authority shall take
into account interchange served by jointly owned generators. (Violation Risk Factor: Lower)
R3. Each Balancing Authority shall ensure all of its Balancing Authority Area interconnection
points are equipped with common megawatt-hour meters, with readings provided hourly to the
control centers of Adjacent Balancing Authorities. (Violation Risk Factor: Lower)
R4. Adjacent Balancing Authority Areas shall operate to a common Net Interchange Schedule and
Actual Net Interchange value and shall record these hourly quantities, with like values but
opposite sign. Each Balancing Authority shall compute its Inadvertent Interchange based on
the following: (Violation Risk Factor: Lower)
R4.1. Each Balancing Authority, by the end of the next business day, shall agree with its
Adjacent Balancing Authorities to: (Violation Risk Factor: Lower)
R4.1.1. The hourly values of Net Interchange Schedule. (Violation Risk Factor:
Lower)
R4.1.2. The hourly integrated megawatt-hour values of Net Actual Interchange.
(Violation Risk Factor: Lower)
R4.2. Each Balancing Authority shall use the agreed-to daily and monthly accounting data to
compile its monthly accumulated Inadvertent Interchange for the On-Peak and Off-
Peak hours of the month. (Violation Risk Factor: Lower)
R4.3. A Balancing Authority shall make after-the-fact corrections to the agreed-to daily and
monthly accounting data only as needed to reflect actual operating conditions (e.g. a
meter being used for control was sending bad data). Changes or corrections based on
non-reliability considerations shall not be reflected in the Balancing Authoritys
Inadvertent Interchange. After-the-fact corrections to scheduled or actual values will
not be accepted without agreement of the Adjacent Balancing Authority(ies).
(Violation Risk Factor: Lower)
R5. Adjacent Balancing Authorities that cannot mutually agree upon their respective Net Actual
Interchange or Net Scheduled Interchange quantities by the 15th calendar day of the following
Standard BAL-006-2 Inadvertent Interchange
2
month shall, for the purposes of dispute resolution, submit a report to their respective Regional
Reliability Organization Survey Contact. The report shall describe the nature and the cause of
the dispute as well as a process for correcting the discrepancy. (Violation Risk Factor: Lower)
C. Measures
None specified.
D. Compliance
1. Compliance Monitoring Process
1.1. Each Balancing Authority shall submit a monthly summary of Inadvertent Interchange.
These summaries shall not include any after-the-fact changes that were not agreed to
by the Source Balancing Authority, Sink Balancing Authority and all Intermediate
Balancing Authority(ies).
1.2. Inadvertent Interchange summaries shall include at least the previous accumulation, net
accumulation for the month, and final net accumulation, for both the On-Peak and Off-
Peak periods.
1.3. Each Balancing Authority shall submit its monthly summary report to its Regional
Reliability Organization Survey Contact by the 15th calendar day of the following
month.
1.4. Each Balancing Authority shall perform an Area Interchange Error (AIE) Survey as
requested by the NERC Operating Committee to determine the Balancing Authoritys
Interchange error(s) due to equipment failures or improper scheduling operations, or
improper AGC performance.
1.5. Each Regional Reliability Organization shall prepare a monthly Inadvertent
Interchange summary to monitor the Balancing Authorities monthly Inadvertent
Interchange and all-time accumulated Inadvertent Interchange. Each Regional
Reliability Organization shall submit a monthly accounting to NERC by the 22nd day
following the end of the month being summarized.
Standard BAL-006-2 Inadvertent Interchange
3
2. Violation Severity Levels
R# Lower VSL Moderate VSL High VSL Severe VSL
R1. N/A N/A N/A Each Balancing Authority failed to
calculate and record hourly
Inadvertent Interchange.
R2. N/A N/A The Balancing Authority failed to
include all AC tie lines that
connect to its Adjacent Balancing
Authority Areas in its Inadvertent
Interchange account.
OR
Failed to take into account
interchange served by jointly
owned generators.
The Balancing Authority failed to
include all AC tie lines that
connect to its Adjacent Balancing
Authority Areas in its Inadvertent
Interchange account.
AND
Failed to take into account
interchange served by jointly
owned generators.
R3. N/A N/A N/A The Balancing Authority failed to
ensure all of its Balancing
Authority Area interconnection
points are equipped with common
megawatt-hour meters, with
readings provided hourly to the
control centers of Adjacent
Balancing Authorities.
R4. The Balancing Authority failed to
record Actual Net Interchange
values that are equal but opposite
in sign to its Adjacent Balancing
Authorities.
The Balancing Authority failed to
compute Inadvertent Interchange.
The Balancing Authority failed to
operate to a common Net
Interchange Schedule that is equal
but opposite to its Adjacent
Balancing Authorities.
N/A
R4.1. N/A N/A N/A The Balancing Authority, by the
end of the next business day, failed
to agree with its Adjacent
Balancing Authorities to the hourly
values of Net Interchanged
Standard BAL-006-2 Inadvertent Interchange
4
R# Lower VSL Moderate VSL High VSL Severe VSL
Schedule.
AND
The hourly integrated megawatt-
hour values of Net Actual
Interchange.
R4.1.1. N/A N/A N/A The Balancing Authority, by the
end of the next business day, failed
to agree with its Adjacent
Balancing Authorities to the hourly
values of Net Interchanged
Schedule.
R4.1.2. N/A N/A N/A The Balancing Authority, by the
end of the next business day, failed
to agree with its Adjacent
Balancing Authorities to the hourly
integrated megawatt-hour values of
Net Actual Interchange.
R4.2. N/A N/A N/A The Balancing Authority failed to
use the agreed-to daily and
monthly accounting data to
compile its monthly accumulated
Inadvertent Interchange for the On-
Peak and Off-Peak hours of the
month.
R4.3. N/A N/A N/A The Balancing Authority failed to
make after-the-fact corrections to
the agreed-to daily and monthly
accounting data to reflect actual
operating conditions or changes or
corrections based on non-reliability
considerations were reflected in the
Balancing Authoritys Inadvertent
Standard BAL-006-2 Inadvertent Interchange
5
R# Lower VSL Moderate VSL High VSL Severe VSL
Interchange.
R5. Adjacent Balancing Authorities
that could not mutually agree upon
their respective Net Actual
Interchange or Net Scheduled
Interchange quantities, submitted a
report to their respective Regional
Reliability Organizations Survey
Contact describing the nature and
the cause of the dispute but failed
to provide a process for correcting
the discrepancy.
Adjacent Balancing Authorities
that could not mutually agree upon
their respective Net Actual
Interchange or Net Scheduled
Interchange quantities by the 15th
calendar day of the following
month, failed to submit a report to
their respective Regional
Reliability Organizations Survey
Contact describing the nature and
the cause of the dispute as well as a
process for correcting the
discrepancy.
N/A N/A
Standard BAL-006-2 Inadvertent Interchange
6
E. Regional Differences
1. Inadvertent Interchange Accounting Waiver approved by the Operating Committee on March
25, 2004includes SPP effective May 1, 2006.
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
1 April 6, 2006 Added following to Effective Date: This
standard will expire for one year beyond the
effective date or when replaced by a new version
of BAL-006, whichever comes first.
Errata
2 November 5, 2009 Added approved VRFs and VSLs to document.
Removed MISO from list of entities with an
Inadvertent Interchange Accounting Waiver
(Project 2009-18).
Revision
2 November 5, 2009 Approved by the Board of Trustees
2 J anuary 6, 2011 Approved by FERC
Standard BAL-502-RFC-02
Page 1 of 8
A. Introduction
1. Title: Planning Resource Adequacy Analysis, Assessment and Documentation
2. Number: BAL-502-RFC-02
3. Purpose:
To establish common criteria, based on one day in ten year loss of Load expectation principles,
for the analysis, assessment and documentation of Resource Adequacy for Load in the
ReliabilityFirst Corporation (RFC) region
4. Applicability
4.1 Planning Coordinator
5. Effective Date:
5.1 Upon RFC Board approval
B. Requirements
R1 The Planning Coordinator shall perform and document a Resource Adequacy analysis
annually. The Resource Adequacy analysis shall [Violation Risk Factor: Medium]:
R1.1 Calculate a planning reserve margin that will result in the sum of the probabilities
for loss of Load for the integrated peak hour for all days of each planning year
1
analyzed (per R1.2) being equal to 0.1. (This is comparable to a one day in 10
year criterion).
R1.1.1 The utilization of Direct Control Load Management or curtailment of
Interruptible Demand shall not contribute to the loss of Load
probability.
R1.1.2 The planning reserve margin developed from R1.1 shall be expressed as
a percentage of the median
2
forecast peak Net Internal Demand
(planning reserve margin).
R1.2 Be performed or verified separately for each of the following planning years:
1
The annual period over which the LOLE is measured, and the resulting resource requirements are established (J une
1
st
through the following May 31
st
).
2
The median forecast is expected to have a 50% probability of being too high and 50% probability of being too low
(50:50).
Standard BAL-502-RFC-02
Page 2 of 8
R1.2.1 Perform an analysis for Year One.
R1.2.2 Perform an analysis or verification at a minimum for one year in the 2
through 5 year period and at a minimum one year in the 6 though 10 year
period.
R1.2.2.1 If the analysis is verified, the verification must be
supported by current or past studies for the same
planning year.
R1.3 Include the following subject matter and documentation of its use:
R1.3.1 Load forecast characteristics:
Median (50:50) forecast peak Load.
Load forecast uncertainty (reflects variability in the Load forecast
due to weather and regional economic forecasts).
Load diversity.
Seasonal Load variations.
Daily demand modeling assumptions (firm, interruptible).
Contractual arrangements concerning curtailable/Interruptible
Demand.
R1.3.2 Resource characteristics:
Historic resource performance and any projected changes
Seasonal resource ratings
Modeling assumptions of firm capacity purchases from and sales to
entities outside the Planning Coordinator area.
Resource planned outage schedules, deratings, and retirements.
Modeling assumptions of intermittent and energy limited resource
such as wind and cogeneration.
Criteria for including planned resource additions in the analysis
R1.3.3 Transmission limitations that prevent the delivery of generation reserves
R1.3.3.1 Criteria for including planned Transmission Facility
additions in the analysis
Standard BAL-502-RFC-02
Page 3 of 8
R1.3.4 Assistance from other interconnected systems including multi-area assessment
considering Transmission limitations into the study area.
R1.4 Consider the following resource availability characteristics and document how
and why they were included in the analysis or why they were not included:
Availability and deliverability of fuel.
Common mode outages that affect resource availability
Environmental or regulatory restrictions of resource availability.
Any other demand (Load) response programs not included in R1.3.1.
Sensitivity to resource outage rates.
Impacts of extreme weather/drought conditions that affect unit availability.
Modeling assumptions for emergency operation procedures used to make
reserves available.
Market resources not committed to serving Load (uncommitted resources)
within the Planning Coordinator area.
R1.5 Consider Transmission maintenance outage schedules and document how and
why they were included in the Resource Adequacy analysis or why they were not
included
R1.6 Document that capacity resources are appropriately accounted for in its Resource
Adequacy analysis
R1.7 Document that all Load in the Planning Coordinator area is accounted for in its
Resource Adequacy analysis
R2 The Planning Coordinator shall annually document the projected Load and resource capability,
for each area or Transmission constrained sub-area identified in the Resource Adequacy analysis
[Violation Risk Factor: Lower].
R2.1 This documentation shall cover each of the years in Year One through ten.
R2.2 This documentation shall include the planning reserve margin calculated per
requirement R1.1 for each of the three years in the analysis.
R2.3 The documentation as specified per requirement R2.1 and R2.2 shall be publicly posted
no later than 30 calendar days prior to the beginning of Year One.
Standard BAL-502-RFC-02
Page 4 of 8
C. Measures
M1 Each Planning Coordinator shall possess the documentation that a valid Resource Adequacy
analysis was performed or verified in accordance with R1
M2 Each Planning Coordinator shall possess the documentation of its projected Load and resource
capability, for each area or Transmission constrained sub-area identified in the Resource
Adequacy analysis on an annual basis in accordance with R2.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Compliance Monitor - ReliabilityFirst Corporation
1.2. Compliance Monitoring Period and Reset Timeframe
One calendar year
1.3. Data Retention
The Planning Coordinator shall retain information from the most current and prior two
years.
The Compliance Monitor shall retain any audit data for five years.
2. Violation Severity Levels
Req.
Number
VIOLATION SEVERITY LEVEL
LOWER MODERATE HIGH SEVERE
R1 The Planning
Coordinator Resource
Adequacy analysis
failed to consider 1 or 2
of the Resource
availability
characteristics
subcomponents under
R1.4 and documentation
of how and why they
were included in the
analysis or why they
The Planning
Coordinator Resource
Adequacy analysis
failed to express the
planning reserve margin
developed from R1.1 as
a percentage of the net
Median forecast peak
Load per R1.1.2
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to be performed
or verified separately
for individual years of
Year One through Year
Ten per R1.2
OR
The Planning
Coordinator failed to
perform and document a
Resource Adequacy
analysis annually per
R1.
OR
The Planning
Coordinator Resource
Standard BAL-502-RFC-02
Page 5 of 8
were not included
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to consider
Transmission
maintenance outage
schedules and document
how and why they were
included in the analysis
or why they were not
included per R1.5
The Planning
Coordinator Resource
Adequacy analysis
failed to include 1 of the
Load forecast
Characteristics
subcomponents under
R1.3.1 and
documentation of its use
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to include 1 of the
Resource
Characteristics
subcomponents under
R1.3.2 and
documentation of its use
Or
The Planning
Coordinator Resource
Adequacy analysis
failed to document that
all Load in the Planning
Coordinator area is
accounted for in its
Resource Adequacy
analysis per R1.7
The Planning
Coordinator failed to
perform an analysis or
verification for one year
in the 2 through 5 year
period or one year in the
6 though 10 year period
or both per R1.2.2
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to include 2 or
more of the Load
forecast Characteristics
subcomponents under
R1.3.1 and
documentation of their
use
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to include 2 or
more of the Resource
Characteristics
subcomponents under
R1.3.2 and
documentation of their
use
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to include
Transmission
limitations and
documentation of its use
Adequacy analysis
failed to calculate a
Planning reserve margin
that will result in the
sum of the probabilities
for loss of Load for the
integrated peak hour for
all days of each
planning year analyzed
for each planning period
being equal to 0.1 per
R1.1
OR
The Planning
Coordinator failed to
perform an analysis for
Year One per R1.2.1
Standard BAL-502-RFC-02
Page 6 of 8
per R1.3.3
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to include
assistance from other
interconnected systems
and documentation of
its use per R1.3.4
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to consider 3 or
more Resource
availability
characteristics
subcomponents under
R1.4 and documentation
of how and why they
were included in the
analysis or why they
were not included
OR
The Planning
Coordinator Resource
Adequacy analysis
failed to document that
capacity resources are
appropriately accounted
for in its Resource
Adequacy analysis per
R1.6
R2 The Planning
Coordinator failed to
publicly post the
documents as specified
The Planning
Coordinator failed to
document the projected
Load and resource
The Planning
Coordinator failed to
document the projected
Load and resource
The Planning
Coordinator failed to
document the projected
Load and resource
Standard BAL-502-RFC-02
Page 7 of 8
per requirement R2.1
and R2.2 later than 30
calendar days prior to
the beginning of Year
One per R2.3
capability, for each area
or Transmission
constrained sub-area
identified in the
Resource Adequacy
analysis for one of the
years in the 2 through
10 year period per R2.1.
OR
The Planning
Coordinator failed to
document the Planning
Reserve margin
calculated per
requirement R1.1 for
each of the three years
in the analysis per R2.2.
capability, for each area
or Transmission
constrained sub-area
identified in the
Resource Adequacy
analysis for year 1 of
the 10 year period per
R2.1.
OR
The Planning
Coordinator failed to
document the projected
Load and resource
capability, for each area
or Transmission
constrained sub-area
identified in the
Resource Adequacy
analysis for two or more
of the years in the 2
through 10 year period
per R2.1.
capability, for each area
or Transmission
constrained sub-area
identified in the
Resource Adequacy
analysis per R2.
Definitions:
Resource Adequacy - the ability of supply-side and demand-side resources to meet the aggregate
electrical demand (including losses).
Net Internal Demand - Total of all end-use customer demand and electric system losses within
specified metered boundaries, less Direct Control Load Management and Interruptible Demand.
Peak Period - A period consisting of two (2) or more calendar months but less than seven (7)
calendar months, which includes the period during which the responsible entity's annual peak demand
is expected to occur
Year One - The planning year that begins with the upcoming annual Peak Period.
The following definitions were extracted from the February 12
th
, 2008 NERC Glossary of
Terms:
Standard BAL-502-RFC-02
Page 8 of 8
Direct Control Load Management Demand-Side Management that is under the direct control of
the system operator. DCLM may control the electric supply to individual appliances or equipment on
customer premises. DCLM as defined here does not include Interruptible Demand.
Facility - A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a
line, a generator, a shunt compensator, transformer, etc.)
Interruptible Demand - Demand that the end-use customer makes available to its Load-Serving
Entity via contract or agreement for curtailment.
Load - An end-use device or customer that receives power from the electric system.
Transmission - An interconnected group of lines and associated equipment for the movement or
transfer of electric energy between points of supply and points at which it is transformed for delivery
to customers or is delivered to other electric systems.
Version History
Version Date Action Change Tracking
BAL-502-RFC-02
1
st
Draft
06/24/08
Through
07/23/08
Posted for 1
st
Comment Period
BAL-502-RFC-02
2
nd
Draft
08/18/08
Through
09/16/08
Posted for 2
nd
Comment Period
BAL-502-RFC-02
3
rd
Draft
10/16/08
Through
10/30/08
Posted for 15-Day Category Ballot
BAL-502-RFC-02
3
rd
Draft
12/04/08 ReliabilityFirst Board Approved
BAL-502-RFC-02 06/08/09 Planning Reserve changed to planning
reserve in R2.2.
Errata
BAL-502-RFC-02 08/05/09 Approved by NERC Board of Trustees
BAL-502-RFC-02 03/17/11 Order issued by FERC approving BAL-502-
RFC-02 (approval effective 5/23/11)
1
WECC Standard BAL-STD-002-0 - Operating Reserves
A. Introduction
1. Title: Operating Reserves
2. Number: BAL-STD-002-0
3. Purpose: Regional Reliability Standard to address the Operating Reserve requirements
of the Western Interconnection.
4. Applicability
4.1.1 This criterion applies to each Responsible Entity that is (i) a Balancing Authority or a
member of a Reserve Sharing Group that does not designate its Reserve Sharing Group as its
agent, or (ii) a Reserve Sharing Group. A Responsible Entity that is a Balancing Authority
and a member of a Reserve Sharing Group is subject to this criterion only as described in
Section A.4.1.2. A Responsible Entity that is a member of a Reserve Sharing Group is not
subject to this criterion on an individual basis.
4.1.2 Responsible Entities that are members of a Reserve Sharing Group may designate in
writing to WECC a Responsible Entity to act as agent for purposes of this criterion for each
such Reserve Sharing Group. Such Reserve Sharing Group agents shall be responsible for
all data submission requirements under Section D of this Reliability Agreement. Unless a
Reserve Sharing Group agent identifies individual Responsible Entities responsible for
noncompliance at the time of data submission, sanctions for noncompliance shall be
assessed against the agent on behalf of the Reserve Sharing Group, and it shall be the
responsibility of the members of the Reserve Sharing Group to allocate responsibility for
such noncompliance. If a Responsible Entity that is a member of a Reserve Sharing Group
does not designate in writing to WECC a Responsible Entity to act as agent for purposes of
this criterion for each such Reserve Sharing Group, such Responsible Entity shall be subject
to this criterion on an individual basis.
5. Effective Date: This Western Electricity Coordinating Council Regional Reliability
Standard will be effective when approved by the Federal Energy Regulatory Commission under
Section 215 of the Federal Power Act. This Regional Reliability Standard shall be in effect for
one year from the date of Commission approval or until a North American Standard or a revised
Western Electricity Coordinating Council Regional Reliability Standard goes into place,
whichever occurs first. At no time shall this regional Standard be enforced in addition to a
similar North American Standard.
B. Requirements
WR1.
The reliable operation of the interconnected power system requires that adequate
generating capacity be available at all times to maintain scheduled frequency and avoid
loss of firm load following transmission or generation contingencies. This generating
capacity is necessary to:
supply requirements for load variations.
replace generating capacity and energy lost due to forced outages of generation
or transmission equipment.
meet on-demand obligations.
2
WECC Standard BAL-STD-002-0 - Operating Reserves
replace energy lost due to curtailment of interruptible imports.
a. Minimum Operating Reserve. Each Balancing Authority shall maintain minimum
Operating Reserve which is the sum of the following:
(i) Regulating reserve. Sufficient Spinning Reserve, immediately responsive to
Automatic Generation Control (AGC) to provide sufficient regulating margin to
allow the Balancing Authority to meet NERC's Control Performance Criteria (see
BAL-001-0).
(ii) Contingency reserve. An amount of Spinning Reserve and Nonspinning Reserve
(at least half of which must be Spinning Reserve), sufficient to meet the NERC
Disturbance Control Standard BAL-002-0, equal to the greater of:
(a) The loss of generating capacity due to forced outages of generation or
transmission equipment that would result from the most severe single
contingency; or
(b) The sum of five percent of the load responsibility served by hydro generation
and seven percent of the load responsibility served by thermal generation.
The combined unit ramp rate of each Balancing Authority's on-line, unloaded
generating capacity must be capable of responding to the Spinning Reserve
requirement of that Balancing Authority within ten minutes
Additional reserve for interruptible imports. An amount of reserve, which can
be made effective within ten minutes, equal to interruptible imports.
(iv) Additional reserve for on-demand obligations. An amount of reserve, which
can be made effective within ten minutes, equal to on-demand obligations to
other entities or Balancing Authorities.
b. Acceptable types of Nonspinning Reserve. The Nonspinning Reserve obligations
identified in subsections a(ii), a(iii), and a(iv), if any, can be met by use of the
following:
(i) interruptible load;
(ii) interruptible exports;
(iii) on-demand rights from other entities or Balancing Authorities;
(iv) Spinning Reserve in excess of requirements in subsections a(i) and a(ii); or
(v) off-line generation which qualifies as Nonspinning Reserve.
c. Knowledge of Operating Reserve. Operating Reserves shall be calculated such
that the amount available which can be fully activated in the next ten minutes
will be known at all times.
3
WECC Standard BAL-STD-002-0 - Operating Reserves
d. Restoration of Operating Reserve. After the occurrence of any event
necessitating the use of Operating Reserve, that reserve shall be restored as
promptly as practicable. The time taken to restore reserves shall not exceed 60
minutes (Source: WECC Criterion)
C. Measures
WM1.
Except within the first 60 minutes following an event requiring the activation of
Operating Reserves, a Responsible Entity identified in Section A.4 must maintain 100%
of required Operating Reserve levels based upon data averaged over each clock hour.
Following every event requiring the activation of Operating Reserves, a Responsible
Entity identified in Section A.4 must re-establish the required Operating Reserve levels
within 60 minutes. (Source: Compliance Standard)
D. Compliance
1. Compliance Monitoring Process
1.1 Compliance Monitoring Responsibility
Western Electricity Coordinating Council (WECC)
1.2 Compliance Monitoring Period
At Occurrence and Quarterly
By no later than 5:00 p.m. Mountain Time on the first Business Day following the
day on which an instance of non-compliance occurs (or such other date specified in
Form A.1(a)), the Responsible Entities identified in SectionA.4 shall submit to the
WECC office Operating Reserve data in Form A.1(a) (available on the WECC web
site) for each such instance of non-compliance. On or before the tenth day of each
calendar quarter (or such other date specified in Form A.1(b)), the Responsible
Entities identified in Section A.4 (including Responsible Entities with no reported
instances of non-compliance) shall submit to the WECC office a completed
Operating Reserve summary compliance Form A.1(b) (available on the WECC web
site) for the immediately preceding calendar quarter.
1.3 Data Retention
Data will be retained in electronic form for at least one year. The retention period
will be evaluated before expiration of one year to determine if a longer retention
period is necessary. If the data is being reviewed to address a question of
compliance, the data will be saved beyond the normal retention period until the
question is formally resolved. (Source: NERC Language)
1.4. Additional Compliance Information
For purposes of applying the sanctions specified in Sanction Table for violations of
this criterion, the "Sanction Measure" is Average Generation and the "Specified
Period" is the most recent calendar month.(Source: Sanctions)
2. Levels of Non-Compliance Sanction
Measure: Average Generation
4
WECC Standard BAL-STD-002-0 - Operating Reserves
2.1. Level 1: There shall be a Level 1 non-compliance if any of the following
conditions exist:
2.1.1 One instance during a calendar month in which the Balancing
Authority's or the Reserve Sharing Group's Operating Reserve is less than
100% but greater than or equal to 90% of the required Operating Reserve.
2.2. Level 2: There shall be a Level 2 non-compliance if any of the following
conditions exist:
2.2.1 One instance during a calendar month in which the Balancing
Authority's or the Reserve Sharing Group's Operating Reserve is less than
90% but greater than or equal to 80% of the required Operating Reserve.
2.3. Level 3: There shall be a Level 3 non-compliance if any of the following
conditions exist:
2.3.1 One instance during a calendar month in which the Balancing
Authority's or the Reserve Sharing Group's Operating Reserve is less than
80% but greater than or equal to 70% of the required Operating Reserve.
2.4. Level 4: There shall be a Level 4 non-compliance if any of the following
conditions exist:
2.4.1 One instance during a calendar month in which the Balancing Authority's
or the Reserve Sharing Group's Operating Reserve is less than 70% of
the required Operating Reserve.
E. Regional Differences
Version History Shows Approval History and Summary of Changes in the Action Field
Version Date Action Change Tracking
0 March 12, 2007 Adopted by Board of Trustees New
0 J une 8, 2007 FERC order issued approving BAL-
STD-002-0
5
WECC Standard BAL-STD-002-0 - Operating Reserves
Sanction Table
Sanctions for non-compliance with respect to each criterion in Section B Requirements
shall be assessed pursuant to the following table. All monetary sanctions shall also
include sending of Letter (B).
Number of Occurrences at a Given Level within Specified Period
Level of Non-
1 2 3 4 or more
Level 1 Letter (A) Letter (B) Higher of $1,000
or $1 per MW of
Sanction Measure
Higher of $2,000
or $2 per MW of
Sanction
Measure
Level 2 Letter (B) Higher of $1,000
or $1 per MW of
Sanction Measure
Higher of $2,000
or $2 per MW of
Sanction Measure
Higher of $4,000
or $4 per MW of
Sanction
Measure
Level 3 Higher of $1,000
or $1 per MW of
Sanction Measure
Higher of $2,000
or $2 per MW of
Sanction Measure
Higher of $4,000
or $4 per MW of
Sanction Measure
Higher of $6,000
or $6 per MW of
Sanction
Measure
Level 4 Higher of $2,000
or $2 per MW of
Sanction Measure
Higher of $4,000
or $4 per MW of
Sanction Measure
Higher of $6,000
or $6 per MW of
Sanction Measure
Higher of
$10,000 or $10
per MW of
Sanction
Measure
Letter (A): Letter to Responsible Entity's Chief Executive Officer informing the
Responsible Entity of noncompliance with copies to NERC, WECC Member
Representative, and WECC Operating Committee Representative 1.
Letter (B): Identical to Letter (A), with additional copies to (i) Chairman of the Board of
Responsible Entity (if different from Chief Executive Officer), and to (ii) state or
provincial regulatory agencies with jurisdiction over Responsible Entity, and, in the case
of U.S. entities, FERC, and Department of Energy, if such government entities request
such information.
The "Specified Period" and the "Sanction Measure" are as specified in Section D1.4 for
each criterion.
Sanctions shall be assessed for all instances of non-compliance within a Specified Period.
For example, if a Responsible Entity had two instances of Level 1 non-compliance and
1 Copies of Letter A and Letter B will be sent to WECC Member Representative and WECC Operating
Committee Representative when the Generator Operator is a WECC member.
6
WECC Standard BAL-STD-002-0 - Operating Reserves
one instance of Level 3 non-compliance for a specific criterion in the first Specified
Period, it would be assessed the sanction from Column 2 of the Level 1 row, and the
sanction from Column 1 of the Level 3 row.
If the Responsible Entity fails to comply with a given criterion for two or more
consecutive Specified Periods, the sanctions assessed at each level of noncompliance for
the most recent Specified Period shall be the sanction specified in the column immediately
to the right of the indicated sanction. For example, if a Responsible Entity fails to comply
with a given criterion for two consecutive Specified Periods, and in the second Specified
Period the Responsible Entity has one instance of Level 1 non-compliance and two
instances of Level 3 non-compliance, it would be assessed the sanction from Column 2 of
the Level 1 row, and the sanction from Column 3 of the Level 3 row. If the sanction
assessed at the highest level is the sanction in Column 4, no such modification of the
specified sanction shall occur.
DEFINITIONS
Unless the context requires otherwise, all capitalized terms shall have the meanings
assigned in this Standard and as set out below:
Area Control Error or ACE means the instantaneous difference between net actual and
scheduled interchange, taking into account the effects of Frequency Bias including
correction for meter error.
Automatic Generation Control or AGC means equipment that automatically adjusts a
Control Area's generation from a central location to maintain its interchange schedule
plus Frequency Bias.
Average Generation means the total MWh generated within the Balancing Authority
Operator's Balancing Authority Area during the prior year divided by 8760 hours (8784
hours if the prior year had 366 days).
Business Day means any day other than Saturday, Sunday, or a legal public holiday as
designated in section 6103 of title 5, U.S. Code.
Disturbance means (i) any perturbation to the electric system, or (ii) the unexpected
change in ACE that is caused by the sudden loss of generation or interruption of load.
Extraordinary Contingency shall have the meaning set out in Excuse of Performance,
section B.4.c.
7
WECC Standard BAL-STD-002-0 - Operating Reserves
Frequency Bias means a value, usually given in megawatts per 0.1 Hertz, associated with
a Control Area that relates the difference between scheduled and actual frequency to the
amount of generation required to correct the difference.
Nonspinning Reserve means that Operating Reserve not connected to the system but
capable of serving demand within a specified time, or interruptible load that can be
removed from the system in a specified time.
Operating Reserve means that capability above firm system demand required to provide
for regulation, load-forecasting error, equipment forced and scheduled outages and local
area protection. Operating Reserve consists of Spinning Reserve and Nonspinning Reserve.
Spinning Reserve means unloaded generation which is synchronized and ready to serve
additional demand. It consists of Regulating reserve and Contingency reserve (as each are
described in Sections B.a.i and ii).
EXCUSE OF PERFORMANCE
A. Excused Non-Compliance
Non-compliance with any of the reliability criteria contained in this
Standard shall be excused and no sanction applied if such non-compliance
results directly from one or more of the actions or events listed below.
B. Specific Excuses
1. Governmental Order
The Reliability Entity's compliance with or action under any
applicable law or regulation or other legal obligation related thereto
or any curtailment, order, regulation or restriction imposed by any
governmental authority (other than the Reliability Entity, if the
Reliability Entity is a municipal corporation or a federal, state, or
provincial governmental entity or subdivision thereof).
2. Order of Reliability Coordinator
The Reliability Entity's compliance or reasonable effort to comply
with any instruction, directive, order or suggested action ("Security
Order") by the WECC Reliability Coordinator for the WECC sub-
region within which the Reliability Entity is operating, provided that
the need for such Security Order was not due to the Reliability
Entity's non-compliance with (a) the WECC Reliability Criteria for
Transmission System Planning, (b) the WECC Power Supply
8
WECC Standard BAL-STD-002-0 - Operating Reserves
Design Criteria, (c) the WECC Minimum Operating Reliability
Criteria, or (d) any other WECC reliability criterion, policy or
procedure then in effect (collectively, "WECC Reliability
Standards"), and provided further that the Reliability Entity in
complying or attempting to comply with such Security Order has
taken all reasonable measures to minimize Reliability Entity's non-
compliance with the reliability criteria.
3. Protection of Facilities
Any action taken or not taken by the Reliability Entity which, in the
reasonable judgment of the Reliability Entity, was necessary to
protect the operation, performance, integrity, reliability or stability of
the Reliability Entity's computer system, electric system (including
transmission and generating facilities), or any electric system with
which the Reliability Entity's electric system is interconnected,
whether such action occurs automatically or manually; provided that
the need for such action or inaction was not due to Reliability
Entity's non-compliance with any WECC Reliability Standard and
provided further that Reliability Entity could not have avoided the
need for such action or inaction through reasonable efforts taken in
a timely manner. Reasonable efforts shall include shedding load,
disconnecting facilities, altering generation patterns or schedules on
the transmission system, or purchasing energy or capacity, except to
the extent that the Reliability Entity demonstrates to the WECC
Staff and/or the RCC that in the particular circumstances such
action would have been unreasonable.
4. Extraordinary Contingency
a. Any Extraordinary Contingency (as defined in subsection
c); provided that this provision shall apply only to the
extent and for the duration that the Extraordinary
Contingency actually and reasonably prevented the
Reliability Entity from complying with any applicable
reliability criteria; and provided further that Reliability
Entity took all reasonable efforts in a timely manner to
mitigate the effects of the Extraordinary Contingency and to
resume full compliance with all applicable reliability
criteria contained in this Reliability Agreement.
Reasonable efforts shall include shedding load, disconnecting
facilities, altering generation patterns or schedules on the
transmission system, or purchasing energy or capacity,
except to the extent that the Reliability Entity
9
WECC Standard BAL-STD-002-0 - Operating Reserves
demonstrates to the WECC Staff and/or the RCC that in the
particular circumstances such action would have been
unreasonable. Reasonable efforts shall not include the
settlement of any strike, lockout or labor dispute.
b. Any Reliability Entity whose compliance is prevented by an
Extraordinary Contingency shall immediately notify the
WECC of such contingency and shall report daily or at such
other interval prescribed by the WECC the efforts being
undertaken to mitigate the effects of such contingency and to
bring the Reliability Entity back into full compliance.
c. An Extraordinary Contingency means any act of God, actions
by a non-affiliated third party, labor disturbance, act of the
public enemy, war, insurrection, riot, fire, storm or flood,
earthquake, explosion, accident to or breakage, failure or
malfunction of machinery or equipment, or any other cause
beyond the Reliability Entity's reasonable control; provided
that prudent industry standards (ms., maintenance, design,
operation) have been employed; and provided further that no
act or cause shall be considered an Extraordinary
Contingency if such act or cause results in any contingency
contemplated in any WECC Reliability Standard (e.g., the
"Most Severe Single Contingency" as defined in the WECC
Reliability Criteria or any lesser contingency).
5. Participation in Field Testing
Any action taken or not taken by the Reliability Entity in conjunction
with the Reliability Entity's involvement in the field testing (as
approved by either the WECC Operating Committee or the WECC
Planning Coordination Committee) of a new reliability criterion or a
revision to an existing reliability criterion where such action or non-
action causes the Reliability Entity's non-compliance with the
reliability criterion to be replaced or revised by the criterion being
field tested; provided that Reliability Entity's noncompliance is the
result of Reliability Entity's reasonable efforts to participate in the
field testing.
Standard CIP-001-2a Sabotage Reporting
Page 1 of 6
A. Introduction
1. Title: Sabotage Reporting
2. Number: CIP-001-2a
3. Purpose: Disturbances or unusual occurrences, suspected or determined to be caused by
sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory
bodies.
4. Applicability
4.1. Reliability Coordinators.
4.2. Balancing Authorities.
4.3. Transmission Operators.
4.4. Generator Operators.
4.5. Load Serving Entities.
4.6. Transmission Owners (only in ERCOT Region).
4.7. Generator Owners (only in ERCOT Region).
5. Effective Date: ERCOT Regional Variance will be effective the first day of
the first calendar quarter after applicable regulatory approval.
B. Requirements
R1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the recognition of and for making
their operating personnel aware of sabotage events on its facilities and multi-site sabotage
affecting larger portions of the Interconnection.
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
R3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall provide its operating personnel with sabotage response
guidelines, including personnel to contact, for reporting disturbances due to sabotage events.
R4. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall establish communications contacts, as applicable, with
local Federal Bureau of Investigation (FBI) or Royal Canadian Mounted Police (RCMP)
officials and develop reporting procedures as appropriate to their circumstances.
C. Measures
M1. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request a procedure (either
electronic or hard copy) as defined in Requirement 1
M2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request the procedures or
guidelines that will be used to confirm that it meets Requirements 2 and 3.
Standard CIP-001-2a Sabotage Reporting
Page 2 of 6
M3. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have and provide upon request evidence that could
include, but is not limited to procedures, policies, a letter of understanding, communication
records, or other equivalent evidence that will be used to confirm that it has established
communications contacts with the applicable, local FBI or RCMP officials to communicate
sabotage events (Requirement 4).
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Regional Reliability Organizations shall be responsible for compliance monitoring.
1.2. Compliance Monitoring and Reset Time Frame
One or more of the following methods will be used to verify compliance:
- Self-certification (Conducted annually with submission according to schedule.)
- Spot Check Audits (Conducted anytime with up to 30 days notice given to prepare.)
- Periodic Audit (Conducted once every three years according to schedule.)
- Triggered Investigations (Notification of an investigation must be made within 60
days of an event or complaint of noncompliance. The entity will have up to 30 days
to prepare for the investigation. An entity may request an extension of the
preparation period and the extension will be considered by the Compliance Monitor
on a case-by-case basis.)
The Performance-Reset Period shall be 12 months from the last finding of non-
compliance.
1.3. Data Retention
Each Reliability Coordinator, Transmission Operator, Generator Operator, Distribution
Provider, and Load Serving Entity shall have current, in-force documents available as
evidence of compliance as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the non-
compliance until found compliant or for two years plus the current year, whichever is
longer.
Evidence used as part of a triggered investigation shall be retained by the entity being
investigated for one year from the date that the investigation is closed, as determined by
the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested and
submitted subsequent compliance records.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance:
2.1. Level 1: There shall be a separate Level 1 non-compliance, for every one of the
following requirements that is in violation:
2.1.1 Does not have procedures for the recognition of and for making its operating
personnel aware of sabotage events (R1).
Standard CIP-001-2a Sabotage Reporting
Page 3 of 6
2.1.2 Does not have procedures or guidelines for the communication of information
concerning sabotage events to appropriate parties in the Interconnection (R2).
2.1.3 Has not established communications contacts, as specified in R4.
2.2. Level 2: Not applicable.
2.3. Level 3: Has not provided its operating personnel with sabotage response procedures or
guidelines (R3).
2.4. Level 4:.Not applicable.
E. ERCOT Interconnection-wide Regional Variance
Requirements
EA.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the recognition of and for making their operating
personnel aware of sabotage events on its facilities and multi-site sabotage affecting
larger portions of the Interconnection.
EA.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have procedures for the communication of information concerning
sabotage events to appropriate parties in the Interconnection.
EA.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall provide its operating personnel with sabotage response guidelines,
including personnel to contact, for reporting disturbances due to sabotage events.
EA.4. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall establish communications contacts with local Federal Bureau of
Investigation (FBI) officials and develop reporting procedures as appropriate to their
circumstances.
Measures
M.A.1. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request a procedure (either electronic or hard
copy) as defined in Requirement EA1.
M.A.2. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request the procedures or guidelines that will be
used to confirm that it meets Requirements EA2 and EA3.
M.A.3. Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have and provide upon request evidence that could include, but is not
limited to, procedures, policies, a letter of understanding, communication records,
Standard CIP-001-2a Sabotage Reporting
Page 4 of 6
or other equivalent evidence that will be used to confirm that it has established
communications contacts with the local FBI officials to communicate sabotage
events (Requirement EA4).
Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
Regional Entity shall be responsible for compliance monitoring.
1.2. Data Retention
Each Reliability Coordinator, Balancing Authority, Transmission Owner,
Transmission Operator, Generator Owner, Generator Operator, and Load Serving
Entity shall have current, in-force documents available as evidence of compliance
as specified in each of the Measures.
If an entity is found non-compliant the entity shall keep information related to the
non-compliance until found compliant or for two years plus the current year,
whichever is longer.
Evidence used as part of a triggered investigation shall be retained by the entity
being investigated for one year from the date that the investigation is closed, as
determined by the Compliance Monitor,
The Compliance Monitor shall keep the last periodic audit report and all requested
and submitted subsequent compliance records.
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0 August 8, 2005 Removed Proposed from Effective Date Errata
1 November 1, 2006 Adopted by Board of Trustees Amended
1 April 4, 2007 Regulatory Approval Effective Date New
1a February 16, 2010 Added Appendix 1 Interpretation of R2
approved by the NERC Board of Trustees
Addition
1a February 2, 2011 Interpretation of R2 approved by FERC on
February 2, 2011
Same addition
June 10, 2010 TRE regional ballot approved variance By Texas RE
August 24, 2010 Regional Variance Approved by Texas RE
Board of Directors
2a February 16, 2011 Approved by NERC Board of Trustees
Standard CIP-001-2a Sabotage Reporting
Page 5 of 6
2a August 2, 2011 FERC Order issued approving Texas RE
Regional Variance
Standard CIP-001-2a Sabotage Reporting
Page 6 of 6
Appendix 1
Requirement Number and Text of Requirement
CIP-001-1:
R2. Each Reliability Coordinator, Balancing Authority, Transmission Operator, Generator
Operator, and Load Serving Entity shall have procedures for the communication of information
concerning sabotage events to appropriate parties in the Interconnection.
Question
Please clarify what is meant by the term, appropriate parties. Moreover, who within the Interconnection
hierarchy deems parties to be appropriate?
Response
The drafting team interprets the phrase appropriate parties in the Interconnection to refer collectively to
entities with whom the reporting party has responsibilities and/or obligations for the communication of
physical or cyber security event information. For example, reporting responsibilities result from NERC
standards IRO-001 Reliability Coordination Responsibilities and Authorities, COM-002-2
Communication and Coordination, and TOP-001 Reliability Responsibilities and Authorities, among
others. Obligations to report could also result from agreements, processes, or procedures with other
parties, such as may be found in operating agreements and interconnection agreements.
The drafting team asserts that those entities to which communicating sabotage events is appropriate would
be identified by the reporting entity and documented within the procedure required in CIP-001-1
Requirement R2.
Regarding who within the Interconnection hierarchy deems parties to be appropriate, the drafting team
knows of no interconnection authority that has such a role.
Standard CIP0023 Cyber Security Critical Cyber Asset Identification
Approved by Board of Trus tees : December 16, 2009 1
A. Introduction
1. Title: Cyber Security Critical Cyber Asset Identification
2. Number: CIP-002-3
3. Purpose: NERC Standards CIP-002-3 through CIP-009-3 provide a cyber security
framework for the identification and protection of Critical Cyber Assets to support reliable
operation of the Bulk Electric System.
These standards recognize the differing roles of each entity in the operation of the Bulk Electric
System, the criticality and vulnerability of the assets needed to manage Bulk Electric System
reliability, and the risks to which they are exposed.
Business and operational demands for managing and maintaining a reliable Bulk Electric
System increasingly rely on Cyber Assets supporting critical reliability functions and processes
to communicate with each other, across functions and organizations, for services and data. This
results in increased risks to these Cyber Assets.
Standard CIP-002-3 requires the identification and documentation of the Critical Cyber Assets
associated with the Critical Assets that support the reliable operation of the Bulk Electric
System. These Critical Assets are to be identified through the application of a risk-based
assessment.
4. Applicability:
4.1. Within the text of Standard CIP-002-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-002-3:
4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
5. Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required)
Standard CIP0023 Cyber Security Critical Cyber Asset Identification
Approved by Board of Trus tees : December 16, 2009 2
B. Requirements
R1. Critical Asset Identification Method The Responsible Entity shall identify and document a
risk-based assessment methodology to use to identify its Critical Assets.
R1.1. The Responsible Entity shall maintain documentation describing its risk-based
assessment methodology that includes procedures and evaluation criteria.
R1.2. The risk-based assessment shall consider the following assets:
R1.2.1. Control centers and backup control centers performing the functions of the
entities listed in the Applicability section of this standard.
R1.2.2. Transmission substations that support the reliable operation of the Bulk
Electric System.
R1.2.3. Generation resources that support the reliable operation of the Bulk Electric
System.
R1.2.4. Systems and facilities critical to system restoration, including blackstart
generators and substations in the electrical path of transmission lines used
for initial system restoration.
R1.2.5. Systems and facilities critical to automatic load shedding under a common
control system capable of shedding 300 MW or more.
R1.2.6. Special Protection Systems that support the reliable operation of the Bulk
Electric System.
R1.2.7. Any additional assets that support the reliable operation of the Bulk Electric
System that the Responsible Entity deems appropriate to include in its
assessment.
R2. Critical Asset Identification The Responsible Entity shall develop a list of its identified
Critical Assets determined through an annual application of the risk-based assessment
methodology required in R1. The Responsible Entity shall review this list at least annually,
and update it as necessary.
R3. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to
Requirement R2, the Responsible Entity shall develop a list of associated Critical Cyber Assets
essential to the operation of the Critical Asset. Examples at control centers and backup control
centers include systems and facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system modeling, and real-time inter-
utility data exchange. The Responsible Entity shall review this list at least annually, and
update it as necessary. For the purpose of Standard CIP-002-3, Critical Cyber Assets are
further qualified to be those having at least one of the following characteristics:
R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic
Security Perimeter; or,
R3.2. The Cyber Asset uses a routable protocol within a control center; or,
R3.3. The Cyber Asset is dial-up accessible.
R4. Annual Approval The senior manager or delegate(s) shall approve annually the risk-based
assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets. Based
on Requirements R1, R2, and R3 the Responsible Entity may determine that it has no Critical
Assets or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record of
Standard CIP0023 Cyber Security Critical Cyber Asset Identification
Approved by Board of Trus tees : December 16, 2009 3
the senior manager or delegate(s)s approval of the risk-based assessment methodology, the list
of Critical Assets and the list of Critical Cyber Assets (even if such lists are null.)
C. Measures
M1. The Responsible Entity shall make available its current risk-based assessment methodology
documentation as specified in Requirement R1.
M2. The Responsible Entity shall make available its list of Critical Assets as specified in
Requirement R2.
M3. The Responsible Entity shall make available its list of Critical Cyber Assets as specified in
Requirement R3.
M4. The Responsible Entity shall make available its approval records of annual approvals as
specified in Requirement R4.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2 ERO for Regional Entity.
1.1.3 Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep documentation required by Standard CIP-002-
3 from the previous full calendar year unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as
part of an investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
1.5.1 None.
2. Violation Severity Levels (To be developed later.)
Standard CIP0023 Cyber Security Critical Cyber Asset Identification
Approved by Board of Trus tees : December 16, 2009 4
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
1 January 16, 2006 R3.2 Change Control Center to control
center
Errata
2 Modifications to clarify the requirements and to
bring the compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a responsible
entity.
Rewording of Effective Date.
Changed compliance monitor to Compliance
Enforcement Authority.
3 Updated version number from -2 to -3
3 December 16, 2009 Approved by the NERC Board of Trustees Update
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 1 of 10
A. Introduction
1. Title: Cyber Security Critical Cyber Asset Identification
2. Number: CIP-002-3b
3. Purpose: NERC Standards CIP-002-3 through CIP-009-3 provide a cyber security
framework for the identification and protection of Critical Cyber Assets to support reliable
operation of the Bulk Electric System.
These standards recognize the differing roles of each entity in the operation of the Bulk Electric
System, the criticality and vulnerability of the assets needed to manage Bulk Electric System
reliability, and the risks to which they are exposed.
Business and operational demands for managing and maintaining a reliable Bulk Electric
System increasingly rely on Cyber Assets supporting critical reliability functions and processes
to communicate with each other, across functions and organizations, for services and data. This
results in increased risks to these Cyber Assets.
Standard CIP-002-3 requires the identification and documentation of the Critical Cyber Assets
associated with the Critical Assets that support the reliable operation of the Bulk Electric
System. These Critical Assets are to be identified through the application of a risk-based
assessment.
4. Applicability:
4.1. Within the text of Standard CIP-002-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-002-3:
4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
5. Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required)
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 2 of 10
B. Requirements
R1. Critical Asset Identification Method The Responsible Entity shall identify and
document a risk-based assessment methodology to use to identify its Critical Assets.
R1.1. The Responsible Entity shall maintain documentation describing its risk-based
assessment methodology that includes procedures and evaluation criteria.
R1.2. The risk-based assessment shall consider the following assets:
R1.2.1. Control centers and backup control centers performing the functions
of the entities listed in the Applicability section of this standard.
R1.2.2. Transmission substations that support the reliable operation of the
Bulk Electric System.
R1.2.3. Generation resources that support the reliable operation of the Bulk
Electric System.
R1.2.4. Systems and facilities critical to system restoration, including
blackstart generators and substations in the electrical path of
transmission lines used for initial system restoration.
R1.2.5. Systems and facilities critical to automatic load shedding under a
common control system capable of shedding 300 MW or more.
R1.2.6. Special Protection Systems that support the reliable operation of the
Bulk Electric System.
R1.2.7. Any additional assets that support the reliable operation of the Bulk
Electric System that the Responsible Entity deems appropriate to
include in its assessment.
R2. Critical Asset Identification The Responsible Entity shall develop a list of its
identified Critical Assets determined through an annual application of the risk-based
assessment methodology required in R1. The Responsible Entity shall review this list
at least annually, and update it as necessary.
R3. Critical Cyber Asset Identification Using the list of Critical Assets developed
pursuant to Requirement R2, the Responsible Entity shall develop a list of associated
Critical Cyber Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and facilities at master and
remote sites that provide monitoring and control, automatic generation control, real-
time power system modeling, and real-time inter-utility data exchange. The
Responsible Entity shall review this list at least annually, and update it as necessary.
For the purpose of Standard CIP-002-3, Critical Cyber Assets are further qualified to
be those having at least one of the following characteristics:
R3.1. The Cyber Asset uses a routable protocol to communicate outside the
Electronic Security Perimeter; or,
R3.2. The Cyber Asset uses a routable protocol within a control center; or,
R3.3. The Cyber Asset is dial-up accessible.
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 3 of 10
R4. Annual Approval The senior manager or delegate(s) shall approve annually the risk-
based assessment methodology, the list of Critical Assets and the list of Critical Cyber
Assets. Based on Requirements R1, R2, and R3 the Responsible Entity may determine
that it has no Critical Assets or Critical Cyber Assets. The Responsible Entity shall
keep a signed and dated record of the senior manager or delegate(s)s approval of the
risk-based assessment methodology, the list of Critical Assets and the list of Critical
Cyber Assets (even if such lists are null.)
C. Measures
M1. The Responsible Entity shall make available its current risk-based assessment
methodology documentation as specified in Requirement R1.
M2. The Responsible Entity shall make available its list of Critical Assets as specified in
Requirement R2.
M3. The Responsible Entity shall make available its list of Critical Cyber Assets as
specified in Requirement R3.
M4. The Responsible Entity shall make available its approval records of annual approvals as
specified in Requirement R4.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2 ERO for Regional Entity.
1.1.3 Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep documentation required by Standard CIP-002-
3 from the previous full calendar year unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as
part of an investigation.
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 4 of 10
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
1.5.1 None.
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 5 of 10
2. Violation Severity Levels
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1. MEDIUM N/A N/A N/A The responsible entity has not documented a
risk-based assessment methodology to use to
identify its Critical Assets as specified in R1.
R1.1. LOWER N/A The Responsible
Entity maintained
documentation
describing its risk-
based assessment
methodology which
includes evaluation
criteria, but does not
include procedures.
The Responsible Entity maintained
documentation describing its risk-based
assessment methodology that includes
procedures but does not include
evaluation criteria.
The Responsible Entity did not maintain
documentation describing its risk-based
assessment methodology that includes
procedures and evaluation criteria.
R1.2. MEDIUM N/A N/A N/A The Responsible Entity did not consider all
of the asset types listed in R1.2.1 through
R1.2.7 in its risk-based assessment.
R1.2.1. LOWER N/A N/A N/A N/A
R1.2.2. LOWER N/A N/A N/A N/A
R1.2.3. LOWER N/A N/A N/A N/A
R1.2.4. LOWER N/A N/A N/A N/A
R1.2.5. LOWER N/A N/A N/A N/A
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 6 of 10
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1.2.6. LOWER N/A N/A N/A N/A
R1.2.7. LOWER N/A N/A N/A N/A
R2. HIGH N/A N/A The Responsible Entity has developed a
list of Critical Assets but the list has not
been reviewed and updated annually as
required.
The Responsible Entity did not develop a list
of its identified Critical Assets even if such
list is null.
R3. HIGH N/A N/A The Responsible Entity has developed a
list of associated Critical Cyber Assets
essential to the operation of the Critical
Asset list as per requirement R2 but the
list has not been reviewed and updated
annually as required.
The Responsible Entity did not develop a list
of associated Critical Cyber Assets essential
to the operation of the Critical Asset list as
per requirement R2 even if such list is null.
R3.1. LOWER N/A N/A N/A A Cyber Asset essential to the operation of
the Critical Asset was identified that met the
criteria in this requirement but was not
included in the Critical Cyber Asset List.
R3.2. LOWER N/A N/A N/A A Cyber Asset essential to the operation of
the Critical Asset was identified that met the
criteria in this requirement but was not
included in the Critical Cyber Asset List.
R3.3. LOWER N/A N/A N/A A Cyber Asset essential to the operation of
the Critical Asset was identified that met the
criteria in this requirement but was not
included in the Critical Cyber Asset List.
R4. LOWER N/A The Responsible
Entity does not have a
signed and dated
The Responsible Entity does not have a
signed and dated record of the senior
manager or delegate(s)s annual approval
The Responsible Entity does not have a
signed and dated record of the senior
manager or delegate(s) annual approval of 1)
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 7 of 10
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
record of the senior
manager or
delegate(s)s annual
approval of the risk-
based assessment
methodology, the list
of Critical Assets or
the list of Critical
Cyber Assets (even if
such lists are null.)
of two of the following: the risk-based
assessment methodology, the list of
Critical Assets or the list of Critical
Cyber Assets (even if such lists are null.)
A risk based assessment methodology for
identification of Critical Assets, 2) a signed
and dated approval of the list of Critical
Assets, nor 3) a signed and dated approval of
the list of Critical Cyber Assets (even if such
lists are null.)
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 8 of 10
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
1 J anuary 16, 2006 R3.2 Change Control Center to control
center
Errata
2 Modifications to clarify the requirements and to
bring the compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a responsible
entity.
Rewording of Effective Date.
Changed compliance monitor to Compliance
Enforcement Authority.
3 Updated version number from -2 to -3
3 December 16, 2009 Approved by the NERC Board of Trustees Update
3a May 9, 2012 Interpretation of R3 for Duke Energy adopted by
the NERC Board of Trustees
3b February 7, 2013 Interpretation of R1.2.5 for OGE adopted by the
NERC Board of Trustees
3b March 21, 2013 FERC Order issued remanding interpretation of R3
for Duke Energy; interpretation removed from
standard (previously Appendix 1)
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 9 of 10
Appendix 1
Project 2012-INT-05: Response to Request for an Interpretation of NERC Standard CIP-002-3
for the OGE Energy Corporation
Date submitted: 2/24/11
The following interpretation of NERC Standard CIP-002-3 Cyber Security Critical Cyber Asset
Identification, Requirement R1.2.5, was developed by a project team from the CIP Interpretation Drafting
Team.
Requirement Number and Text of Requirement
R1. Critical Asset Identification Method The Responsible Entity shall identify and document a risk-
based assessment methodology to use to identify its Critical Assets.
R1.2. The risk-based assessment shall consider the following assets:
R1.2.5. Systems and facilities critical to automatic load shedding under a common control
system capable of shedding 300 MW or more.
Identify specifically what requirement needs clarification (as submitted):
Requirement Number and Text of Requirement:
CIP-002-3 R1.2.5 - Systems and facilities critical to automatic load shedding under a common control system
capable of shedding 300 MW or more.
Clarification needed: Based on the text above, an auditor could apply this standard to the Smart Grid
Advanced Meter Infrastructure (AMI) remote connect/disconnect functionality. While the AMI system is not
designed to perform automatic load shedding of 300 MW it could be repurposed to shed an aggregate load of
300 MW or more. However, it is important to note that the AMI remote disconnect function is not used for
under-voltage load shedding or under-frequency load shedding as a part of the regions load shedding
program.
The primary purpose of the AMI remote connect/disconnect function is to connect and disconnect individual
retail electric customers from a central location rather than at the meter itself to enable substantial efficiency
gains.
OGE would like NERC to clarify that a company's SmartGrid AMI functionality, which may be able to
disconnect 300+MW of load, is not considered a system or facility critical to automatic load shedding under
a common control system capable of shedding 300 mw and therefore it should not be included in the
Company's risk based methodology. OGE believes this clarification is appropriate because CIP-002-3 R1.2.5
was written to address under-voltage and under-frequency load shedding systems; SmartGrid AMI
disconnect functionality pertains to neither.
Standard CIP0023b Cyber Security Critical Cyber Asset Identification
Page 10 of 10
Question Summary
OGE Energy Corporation seeks clarification on the meaning of CIP-002-3, Requirement R1.2.5 as it
relates to SmartGrid Advanced Meter Infrastructure (AMI) remote connect/disconnect functionality.
In its response, the Interpretation Drafting Team will answer whether a companys SmartGrid AMI
functionality, which may be able to disconnect more than 300 MW of load, is considered a system or
facility critical to automatic load shedding under a common control system capable of shedding 300 MW
or more under CIP-002-3, Requirement 1.2.5.
Response
In evaluating OGEs request, the Interpretation Drafting Team (IDT) clarifies the meaning of CIP-002-3,
Requirement R1.2.5 as it relates and applies to new technologies such as AMI. CIP-002-3, Requirement
R1.2.5, along with the context of the standard as a whole, informed development of this interpretation.
CIP-002-3, Requirement R1.2 specifies that the Responsible Entitys risk-based assessment methodology
(RBAM) shall consider the assets described in Requirement R1.2.5.
During the identification and documentation of the RBAM, a Responsible Entity shall consider Systems and
facilities critical to automatic load shedding under a common control system capable of shedding 300 MW or
more as specified in Requirement R1.2.5. Requirement R2 then requires the entity to apply this RBAM
annually to identify Critical Assets. If a system or facility does not meet the specifications of Requirement
R1.2.5, the RBAM is not required to consider that asset.
The Critical Asset identification method under CIP-002-3, Requirement R1 is based on a facts and
circumstance-driven analysis and is not dependent exclusively on specific technology or specific types of
systems or facilities. For instance, systems or facilities such as AMI may have the potential or capability to
be set up to automatically shed load, but having that potential or capability does not necessarily mean that the
system or facility performs the function as described in Requirement R1.2.5. Therefore, an AMI system
specifically built and configured to perform the Remote Disconnect function that does not automatically shed
load without human operator initiation would not meet the criteria found in CIP-002-3, Requirement R1.2.5.
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
1
A. Introduction
1. Title: Cyber Security Critical Cyber Asset Identification
2. Number: CIP-002-4
3. Purpose: NERC Standards CIP-002-4 through CIP-009-4 provide a cyber security
framework for the identification and protection of Critical Cyber Assets to support reliable
operation of the Bulk Electric System.
These standards recognize the differing roles of each entity in the operation of the Bulk Electric
System, the criticality and vulnerability of the assets needed to manage Bulk Electric System
reliability, and the risks to which they are exposed.
Business and operational demands for managing and maintaining a reliable Bulk Electric
System increasingly rely on Cyber Assets supporting critical reliability functions and processes
to communicate with each other, across functions and organizations, for services and data. This
results in increased risks to these Cyber Assets.
Standard CIP-002-4 requires the identification and documentation of the Critical Cyber Assets
associated with the Critical Assets that support the reliable operation of the Bulk Electric
System. These Critical Assets are to be identified through the application of the criteria in
Attachment 1.
4. Applicability:
4.1. Within the text of Standard CIP-002-4, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-002-4:
4.2.1 Facilities regulated by the Canadian Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 In nuclear plants, the systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan pursuant to 10
C.F. R. Section 73.54.
5. Effective Date: The first day of the eighth calendar quarter after applicable regulatory
approvals have been received (or the Reliability Standard otherwise becomes effective the first
day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory
approval is not required)
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
2
B. Requirements
R1. Critical Asset Identification The Responsible Entity shall develop a list of its identified
Critical Assets determined through an annual application of the criteria contained in CIP-002-4
Attachment 1 Critical Asset Criteria. The Responsible Entity shall update this list as
necessary, and review it at least annually.
R2. Critical Cyber Asset Identification Using the list of Critical Assets developed pursuant to
Requirement R1, the Responsible Entity shall develop a list of associated Critical Cyber Assets
essential to the operation of the Critical Asset. The Responsible Entity shall update this list as
necessary, and review it at least annually.
For each group of generating units (including nuclear generation) at a single plant location
identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are
those shared Cyber Assets that could, within 15 minutes, adversely impact the reliable
operation of any combination of units that in aggregate equal or exceed Attachment 1, criterion
1.1.
For the purpose of Standard CIP-002-4, Critical Cyber Assets are further qualified to be those
having at least one of the following characteristics:
The Cyber Asset uses a routable protocol to communicate outside the Electronic Security
Perimeter; or,
The Cyber Asset uses a routable protocol within a control center; or,
The Cyber Asset is dial-up accessible.
R3. Annual Approval The senior manager or delegate(s) shall approve annually the list of
Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1 and R2 the
Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets. The
Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)s
approval of the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are
null.)
C. Measures
M1. The Responsible Entity shall make available its list of Critical Assets as specified in
Requirement R1.
M2. The Responsible Entity shall make available its list of Critical Cyber Assets as specified in
Requirement R2.
M3. The Responsible Entity shall make available its records of approvals as specified in
Requirement R3.
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
3
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 The Regional Entity shall serve as the Compliance Enforcement Authority with the following exceptions:
For entities that do not work for the Regional Entity, the Regional Entity shall serve as the Compliance Enforcement Authority.
For Reliability Coordinators and other functional entities that work for their Regional Entity, the ERO shall serve as the Compliance
Enforcement Authority.
For Responsible Entities that are also Regional Entities, the ERO or a Regional Entity approved by the ERO and FERC or other
applicable governmental authorities shall serve as the Compliance Enforcement Authority.
For the ERO, a third-party monitor without vested interest in the outcome for the ERO shall serve as the Compliance Enforcement
Authority.
1.2. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.3. Data Retention
1.3.1 The Responsible Entity shall keep documentation required by Standard CIP-002-4 from the previous full calendar year unless directed by
its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.
1.3.2 The Compliance Enforcement Authority in conjunction with the Registered Entity shall keep the last audit records and all requested and
submitted subsequent audit records.
1.4. Additional Compliance Information
1.4.1 None.
2. Violation Severity Levels
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
4
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1 HIGH N/A N/A The Responsible Entity has developed a list of Critical
Assets but the list has not been reviewed and updated
annually as required.
The Responsible Entity did not develop a list of its identified
Critical Assets even if such list is null.
R2 HIGH N/A N/A The Responsible Entity has developed a list of associated
Critical Cyber Assets essential to the operation of the
Critical Asset list as per requirement R2 but the list has not
been reviewed and updated annually as required.
The Responsible Entity did not develop a list of associated
Critical Cyber Assets essential to the operation of the Critical
Asset list as per requirement R2 even if such list is null.
OR
A Cyber Asset essential to the operation of the Critical Asset
was identified that met at least one of the bulleted
characteristics in this requirement but was not included in the
Critical Cyber Asset List.
R3 LOWER N/A N/A The Responsible Entity does not have a signed and dated
record of the senior manager or delegate(s)s annual
approval of the list of Critical Assets.
OR
The Responsible Entity does not have a signed and dated
record of the senior manager or delegate(s)s annual
approval of the list of Critical Cyber Assets (even if such
lists are null.)
The Responsible Entity does not have a signed and dated
record of the senior manager or delegate(s)s annual approval
of both the list of Critical Assets and the list of Critical Cyber
Assets (even if such lists are null.)
E. Regional Variances
None identified.
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
5
Version History
Version Date Action Change Tracking
1 January 16, 2006 R3.2 Change Control Center to control
center
03/24/06
2 Modifications to clarify the requirements and
to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Changed compliance monitor to Compliance
Enforcement Authority.
3 Updated version number from -2 to -3
3 12/16/09 Approved by the NERC Board of Trustees Update
4 12/30/10 Modified to add specific criteria for Critical
Asset identification
Update
4 1/24/11 Approved by the NERC Board of Trustees
4 4/19/12 FERC Order issued approving CIP-002-4
(approval becomes effective June 25, 2012)
Added approved VRF/VSL table to section
D.2.
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
6
CIP-002-4 - Attachment 1
Critical Asset Criteria
The following are considered Critical Assets:
1.1. Each group of generating units (including nuclear generation) at a single plant location with
an aggregate highest rated net Real Power capability of the preceding 12 months equal to or
exceeding 1500 MW in a single Interconnection.
1.2. Each reactive resource or group of resources at a single location (excluding generation
Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVAR or greater.
1.3. Each generation Facility that the Planning Coordinator or Transmission Planner designates
and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse
Reliability Impacts in the long-term planning horizon.
1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan.
1.5. The Facilities comprising the Cranking Paths and meeting the initial switching
requirements from the Blackstart Resource to the first interconnection point of the
generation unit(s) to be started, or up to the point on the Cranking Path where two or more
path options exist, as identified in the Transmission Operator's restoration plan.
1.6. Transmission Facilities operated at 500 kV or higher.
1.7. Transmission Facilities operated at 300 kV or higher at stations or substations interconnected
at 300 kV or higher with three or more other transmission stations or substations.
1.8. Transmission Facilities at a single station or substation location that are identified by the
Reliability Coordinator, Planning Authority or Transmission Planner as critical to the
derivation of Interconnection Reliability Operating Limits (IROLs) and their associated
contingencies.
1.9. Flexible AC Transmission Systems (FACTS), at a single station or substation location, that
are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as
critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their
associated contingencies.
1.10. Transmission Facilities providing the generation interconnection required to connect
generator output to the transmission system that, if destroyed, degraded, misused, or
otherwise rendered unavailable, would result in the loss of the assets identified by any
Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.
1.11. Transmission Facilities identified as essential to meeting Nuclear Plant Interface
Requirements.
1.12. Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated
switching system that operates BES Elements that, if destroyed, degraded, misused or
otherwise rendered unavailable, would cause one or more Interconnection Reliability
Operating Limits (IROLs) violations for failure to operate as designed.
1.13. Each system or Facility that performs automatic load shedding, without human operator
initiation, of 300 MW or more implementing Under Voltage Load Shedding (UVLS) or
Under Frequency Load Shedding (UFLS) as required by the regional load shedding program.
1.14. Each control center or backup control center used to perform the functional obligations of
the Reliability Coordinator.
Standard CIP0024 Cyber Security Critical Cyber As s et Identification
7
1.15. Each control center or backup control center used to control generation at multiple plant
locations, for any generation Facility or group of generation Facilities identified in criteria
1.1, 1.3, or 1.4. Each control center or backup control center used to control generation equal
to or exceeding 1500 MW in a single Interconnection.
1.16. Each control center or backup control center used to perform the functional obligations of
the Transmission Operator that includes control of at least one asset identified in criteria 1.2,
1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11 or 1.12.
1.17. Each control center or backup control center used to perform the functional obligations of
the Balancing Authority that includes at least one asset identified in criteria 1.1, 1.3, 1.4, or
1.13. Each control center or backup control center used to perform the functional
obligations of the Balancing Authority for generation equal to or greater than an aggregate of
1500 MW in a single Interconnection.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 1 of 34
A. Introduction
1. Title: Cyber Security BES Cyber System Categorization
2. Number: CIP-002-5
3. Purpose: To identify and categorize BES Cyber Systems and their associated BES
Cyber Assets for the application of cyber security requirements commensurate with
the adverse impact that loss, compromise, or misuse of those BES Cyber Systems
could have on the reliable operation of the BES. Identification and categorization of
BES Cyber Systems support appropriate protection against compromises that could
lead to misoperation or instability in the BES.
4. Applicability:
4.1. Functional Entities: For the purpose of the requirements contained herein, the
following list of functional entities will be collectively referred to as Responsible
Entities. For requirements in this standard where a specific functional entity or
subset of functional entities are the applicable entity or entities, the functional entity
or entities are specified explicitly.
4.1.1. Balancing Authority
4.1.2. Distribution Provider that owns one or more of the following Facilities, systems,
and equipment for the protection or restoration of the BES:
4.1.2.1. Each underfrequency load shedding (UFLS) or undervoltage load shedding
(UVLS) system that:
4.1.2.1.1. is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional Reliability Standard; and
4.1.2.1.2. performs automatic Load shedding under a common control system
owned by the Responsible Entity, without human operator initiation,
of 300 MW or more.
4.1.2.2. Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.1.2.3. Each Protection System (excluding UFLS and UVLS) that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERC or Regional Reliability Standard.
4.1.2.4. Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s) to be started.
4.1.3. Generator Operator
4.1.4. Generator Owner
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 2 of 34
4.1.5. Interchange Coordinator or Interchange Authority
4.1.6. Reliability Coordinator
4.1.7. Transmission Operator
4.1.8. Transmission Owner
4.2. Facilities: For the purpose of the requirements contained herein, the following
Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above
are those to which these requirements are applicable. For requirements in this
standard where a specific type of Facilities, system, or equipment or subset of
Facilities, systems, and equipment are applicable, these are specified explicitly.
4.2.1. Distribution Provider: One or more of the following Facilities, systems and
equipment owned by the Distribution Provider for the protection or restoration
of the BES:
4.2.1.1. Each UFLS or UVLS System that:
4.2.1.1.1. is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional Reliability Standard; and
4.2.1.1.2. performs automatic Load shedding under a common control system
owned by the Responsible Entity, without human operator initiation,
of 300 MW or more.
4.2.1.2. Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.2.1.3. Each Protection System (excluding UFLS and UVLS) that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERC or Regional Reliability Standard.
4.2.1.4. Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s) to be started.
4.2.2. Responsible Entities listed in 4.1 other than Distribution Providers:
All BES Facilities.
4.2.3. Exemptions: The following are exempt from Standard CIP-002-5:
4.2.3.1. Cyber Assets at Facilities regulated by the Canadian Nuclear Safety
Commission.
4.2.3.2. Cyber Assets associated with communication networks and data
communication links between discrete Electronic Security Perimeters.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 3 of 34
4.2.3.3. The systems, structures, and components that are regulated by the Nuclear
Regulatory Commission under a cyber security plan pursuant to 10 C.F.R.
Section 73.54.
4.2.3.4. For Distribution Providers, the systems and equipment that are not included
in section 4.2.1 above.
5. Effective Dates:
1. 24 Months Minimum CIP-002-5 shall become effective on the later of July 1,
2015, or the first calendar day of the ninth calendar quarter after the effective
date of the order providing applicable regulatory approval.
2. In those jurisdictions where no regulatory approval is required CIP-002-5 shall
become effective on the first day of the ninth calendar quarter following Board
of Trustees approval, or as otherwise made effective pursuant to the laws
applicable to such ERO governmental authorities.
6. Background:
This standard provides bright-line criteria for applicable Responsible Entities to
categorize their BES Cyber Systems based on the impact of their associated Facilities,
systems, and equipment, which, if destroyed, degraded, misused, or otherwise
rendered unavailable, would affect the reliable operation of the Bulk Electric System.
Several concepts provide the basis for the approach to the standard.
Throughout the standards, unless otherwise stated, bulleted items in the
requirements are items that are linked with an or, and numbered items are items
that are linked with an and.
Many references in the Applicability section and the criteria in Attachment 1 of CIP-
002 use a threshold of 300 MW for UFLS and UVLS. This particular threshold of 300
MW for UVLS and UFLS was provided in Version 1 of the CIP Cyber Security
Standards. The threshold remains at 300 MW since it is specifically addressing UVLS
and UFLS, which are last ditch efforts to save the Bulk Electric System. A review of
UFLS tolerances defined within regional reliability standards for UFLS program
requirements to date indicates that the historical value of 300 MW represents an
adequate and reasonable threshold value for allowable UFLS operational tolerances.
BES Cyber Systems
One of the fundamental differences between Versions 4 and 5 of the CIP Cyber
Security Standards is the shift from identifying Critical Cyber Assets to identifying BES
Cyber Systems. This change results from the drafting teams review of the NIST Risk
Management Framework and the use of an analogous term information system as
the target for categorizing and applying security controls.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 4 of 34
In transitioning from Version 4 to Version 5, a BES Cyber System can be viewed simply
as a grouping of Critical Cyber Assets (as that term is used in Version 4). The CIP Cyber
Security Standards use the BES Cyber System term primarily to provide a higher level
for referencing the object of a requirement. For example, it becomes possible to
apply requirements dealing with recovery and malware protection to a grouping
rather than individual Cyber Assets, and it becomes clearer in the requirement that
malware protection applies to the system as a whole and may not be necessary for
every individual device to comply.
Another reason for using the term BES Cyber System is to provide a convenient level
at which a Responsible Entity can organize their documented implementation of the
requirements and compliance evidence. Responsible Entities can use the well-
developed concept of a security plan for each BES Cyber System to document the
programs, processes, and plans in place to comply with security requirements.
It is left up to the Responsible Entity to determine the level of granularity at which to
identify a BES Cyber System within the qualifications in the definition of BES Cyber
System. For example, the Responsible Entity might choose to view an entire plant
control system as a single BES Cyber System, or it might choose to view certain
components of the plant control system as distinct BES Cyber Systems. The
Responsible Entity should take into consideration the operational environment and
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 5 of 34
scope of management when defining the BES Cyber System boundary in order to
maximize efficiency in secure operations. Defining the boundary too tightly may result
in redundant paperwork and authorizations, while defining the boundary too broadly
could make the secure operation of the BES Cyber System difficult to monitor and
assess.
Reliable Operation of the BES
The scope of the CIP Cyber Security Standards is restricted to BES Cyber Systems that
would impact the reliable operation of the BES. In order to identify BES Cyber
Systems, Responsible Entities determine whether the BES Cyber Systems perform or
support any BES reliability function according to those reliability tasks identified for
their reliability function and the corresponding functional entitys responsibilities as
defined in its relationships with other functional entities in the NERC Functional
Model. This ensures that the initial scope for consideration includes only those BES
Cyber Systems and their associated BES Cyber Assets that perform or support the
reliable operation of the BES. The definition of BES Cyber Asset provides the basis for
this scoping.
Real-time Operations
One characteristic of the BES Cyber Asset is a real-time scoping characteristic. The
time horizon that is significant for BES Cyber Systems and BES Cyber Assets subject to
the application of these Version 5 CIP Cyber Security Standards is defined as that
which is material to real-time operations for the reliable operation of the BES. To
provide a better defined time horizon than Real-time, BES Cyber Assets are those
Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely
impact the reliable operation of the BES within 15 minutes of the activation or
exercise of the compromise. This time window must not include in its consideration
the activation of redundant BES Cyber Assets or BES Cyber Systems: from the cyber
security standpoint, redundancy does not mitigate cyber security vulnerabilities.
Categorization Criteria
The criteria defined in Attachment 1 are used to categorize BES Cyber Systems into
impact categories. Requirement 1 only requires the discrete identification of BES
Cyber Systems for those in the high impact and medium impact categories. All BES
Cyber Systems for Facilities not included in Attachment 1 Impact Rating Criteria,
Criteria 1.1 to 1.4 and Criteria 2.1 to 2.11 default to be low impact.
This general process of categorization of BES Cyber Systems based on impact on the
reliable operation of the BES is consistent with risk management approaches for the
purpose of application of cyber security requirements in the remainder of the Version
5 CIP Cyber Security Standards.
Electronic Access Control or Monitoring Systems, Physical Access Control Systems,
and Protected Cyber Assets that are associated with BES Cyber Systems
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 6 of 34
BES Cyber Systems have associated Cyber Assets, which, if compromised, pose a
threat to the BES Cyber System by virtue of: (a) their location within the Electronic
Security Perimeter (Protected Cyber Assets), or (b) the security control function they
perform (Electronic Access Control or Monitoring Systems and Physical Access Control
Systems). These Cyber Assets include:
Electronic Access Control or Monitoring Systems (EACMS) Examples include:
Electronic Access Points, Intermediate Devices, authentication servers (e.g.,
RADIUS servers, Active Directory servers, Certificate Authorities), security event
monitoring systems, and intrusion detection systems.
Physical Access Control Systems (PACS) Examples include: authentication
servers, card systems, and badge control systems.
Protected Cyber Assets (PCA) Examples may include, to the extent they are
within the ESP: file servers, ftp servers, time servers, LAN switches, networked
printers, digital fault recorders, and emission monitoring systems.
B. Requirements and Measures
R1. Each Responsible Entity shall implement a process that considers each of the
following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor:
High][Time Horizon: Operations Planning]
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart
Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk
Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability
section 4.2.1 above.
1.1. Identify each of the high impact BES Cyber Systems according to
Attachment 1, Section 1, if any, at each asset;
1.2. Identify each of the medium impact BES Cyber Systems according to
Attachment 1, Section 2, if any, at each asset; and
1.3. Identify each asset that contains a low impact BES Cyber System
according to Attachment 1, Section 3, if any (a discrete list of low impact
BES Cyber Systems is not required).
M1. Acceptable evidence includes, but is not limited to, dated electronic or physical lists
required by Requirement R1, and Parts 1.1 and 1.2.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 7 of 34
R2. The Responsible Entity shall: [Violation Risk Factor: Lower] [Time Horizon: Operations
Planning]
2.1 Review the identifications in Requirement R1 and its parts (and update
them if there are changes identified) at least once every 15 calendar
months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications
required by Requirement R1 at least once every 15 calendar months,
even if it has no identified items in Requirement R1.
M2. Acceptable evidence includes, but is not limited to, electronic or physical dated
records to demonstrate that the Responsible Entity has reviewed and updated, where
necessary, the identifications required in Requirement R1 and its parts, and has had its
CIP Senior Manager or delegate approve the identifications required in Requirement
R1 and its parts at least once every 15 calendar months, even if it has none identified
in Requirement R1 and its parts, as required by Requirement R2.
C. Compliance
1. Compliance Monitoring Process:
1.1. Compliance Enforcement Authority:
The Regional Entity shall serve as the Compliance Enforcement Authority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional
Entity. In such cases the ERO or a Regional Entity approved by FERC or other
applicable governmental authority shall serve as the CEA.
1.2. Evidence Retention:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time
since the last audit, the CEA may ask an entity to provide other evidence to show
that it was compliant for the full time period since the last audit.
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its CEA to retain specific evidence for a
longer period of time as part of an investigation:
Each Responsible Entity shall retain evidence of each requirement in this
standard for three calendar years.
If a Responsible Entity is found non-compliant, it shall keep information
related to the non-compliance until mitigation is complete and approved or
for the time specified above, whichever is longer.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 8 of 34
The CEA shall keep the last audit records and all requested and submitted
subsequent audit records.
1.3. Compliance Monitoring and Assessment Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4. Additional Compliance Information
None
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 9 of 34
2. Table of Compliance Elements
R # Time
Horizon
VRF Violation Severity Levels (CIP-002-5)
Lower VSL Moderate VSL High VSL Severe VSL
R1 Operations
Planning
High
For Responsible
Entities with more
than a total of 40 BES
assets in Requirement
R1, five percent or
fewer BES assets have
not been considered
according to
Requirement R1;
OR
For Responsible
Entities with a total of
40 or fewer BES assets,
2 or fewer BES assets
in Requirement R1,
have not been
considered according
to Requirement R1;
OR
For Responsible
Entities with more
than a total of 100
high and medium
impact BES Cyber
For Responsible
Entities with more
than a total of 40 BES
assets in Requirement
R1, more than five
percent but less than
or equal to 10 percent
of BES assets have not
been considered,
according to
Requirement R1;
OR
For Responsible
Entities with a total of
40 or fewer BES assets,
more than two, but
fewer than or equal to
four BES assets in
Requirement R1, have
not been considered
according to
Requirement R1;
OR
For Responsible
For Responsible
Entities with more
than a total of 40 BES
assets in Requirement
R1, more than 10
percent but less than
or equal to 15 percent
of BES assets have not
been considered,
according to
Requirement R1;
OR
For Responsible
Entities with a total of
40 or fewer BES assets,
more than four, but
fewer than or equal to
six BES assets in
Requirement R1, have
not been considered
according to
Requirement R1;
OR
For Responsible
For Responsible
Entities with more
than a total of 40 BES
assets in Requirement
R1, more than 15
percent of BES assets
have not been
considered, according
to Requirement R1;
OR
For Responsible
Entities with a total of
40 or fewer BES assets,
more than six BES
assets in Requirement
R1, have not been
considered according
to Requirement R1;
OR
For Responsible
Entities with more
than a total of 100
high and medium
impact BES Cyber
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 10 of 34
R # Time
Horizon
VRF Violation Severity Levels (CIP-002-5)
Lower VSL Moderate VSL High VSL Severe VSL
Systems, five percent
or fewer of identified
BES Cyber Systems
have not been
categorized or have
been incorrectly
categorized at a lower
category;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact BES
Cyber Systems, five or
fewer identified BES
Cyber Systems have
not been categorized
or have been
incorrectly categorized
at a lower category.
OR
For Responsible
Entities with more
than a total of 100
high and medium
impact BES Cyber
Entities with more
than a total of 100
high and medium
impact BES Cyber
Systems, more than
five percent but less
than or equal to 10
percent of identified
BES Cyber Systems
have not been
categorized or have
been incorrectly
categorized at a lower
category;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact and
BES Cyber Systems,
more than five but less
than or equal to 10
identified BES Cyber
Systems have not been
categorized or have
been incorrectly
categorized at a lower
Entities with more
than a total of 100
high or medium
impact BES Cyber
Systems, more than 10
percent but less than
or equal to 15 percent
of identified BES Cyber
Systems have not been
categorized or have
been incorrectly
categorized at a lower
category;
OR
For Responsible
Entities with a total of
100 or fewer high or
medium impact and
BES Cyber Assets,
more than 10 but less
than or equal to 15
identified BES Cyber
Assets have not been
categorized or have
been incorrectly
categorized at a lower
Systems, more than 15
percent of identified
BES Cyber Systems
have not been
categorized or have
been incorrectly
categorized at a lower
category;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact BES
Cyber Systems, more
than 15 identified BES
Cyber Systems have
not been categorized
or have been
incorrectly categorized
at a lower category.
OR
For Responsible
Entities with more
than a total of 100
high and medium
impact BES Cyber
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 11 of 34
R # Time
Horizon
VRF Violation Severity Levels (CIP-002-5)
Lower VSL Moderate VSL High VSL Severe VSL
Systems, five percent
or fewer high or
medium BES Cyber
Systems have not been
identified;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact BES
Cyber Systems, five or
fewer high or medium
BES Cyber Systems
have not been
identified.
category.
OR
For Responsible
Entities with more
than a total of 100
high and medium
impact BES Cyber
Systems, more than
five percent but less
than or equal to 10
percent high or
medium BES Cyber
Systems have not been
identified;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact BES
Cyber Systems, more
than five but less than
or equal to 10 high or
medium BES Cyber
Systems have not been
identified.
category.
OR
For Responsible
Entities with more
than a total of 100
high and medium
impact BES Cyber
Systems, more than 10
percent but less than
or equal to 15 percent
high or medium BES
Cyber Systems have
not been identified;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact BES
Cyber Systems, more
than 10 but less than
or equal to 15 high or
medium BES Cyber
Systems have not been
identified.
Systems, more than 15
percent of high or
medium impact BES
Cyber Systems have
not been identified;
OR
For Responsible
Entities with a total of
100 or fewer high and
medium impact BES
Cyber Systems, more
than 15 high or
medium impact BES
Cyber Systems have
not been identified.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 12 of 34
R # Time
Horizon
VRF Violation Severity Levels (CIP-002-5)
Lower VSL Moderate VSL High VSL Severe VSL
R2 Operations
Planning
Lower The Responsible Entity
did not complete its
review and update for
the identification
required for R1 within
15 calendar months
but less than or equal
to 16 calendar months
of the previous review.
(R2.1)
OR
The Responsible Entity
did not complete its
approval of the
identifications
required by R1 by the
CIP Senior Manager or
delegate according to
Requirement R2 within
15 calendar months
but less than or equal
to 16 calendar months
of the previous
approval. (R2.2)
The Responsible Entity
did not complete its
review and update for
the identification
required for R1 within
16 calendar months
but less than or equal
to 17 calendar months
of the previous review.
(R2.1)
OR
The Responsible Entity
failed to complete its
approval of the
identifications
required by R1 by the
CIP Senior Manager or
delegate according to
Requirement R2 within
16 calendar months
but less than or equal
to 17 calendar months
of the previous
approval. (R2.2)
The Responsible Entity
did not complete its
review and update for
the identification
required for R1 within
17 calendar months
but less than or equal
to 18 calendar months
of the previous review.
(R2.1)
OR
The Responsible Entity
failed to complete its
approval of the
identifications
required by R1 by the
CIP Senior Manager or
delegate according to
Requirement R2 within
17 calendar months
but less than or equal
to 18 calendar months
of the previous
approval. (R2.2)
The Responsible Entity
did not complete its
review and update for
the identification
required for R1 within
18 calendar months of
the previous review.
(R2.1)
OR
The Responsible Entity
failed to complete its
approval of the
identifications
required by R1 by the
CIP Senior Manager or
delegate according to
Requirement R2 within
18 calendar months of
the previous approval.
(R2.2)
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 13 of 34
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 14 of 34
CIP-002-5 - Attachment 1
Impact Rating Criteria
The criteria defined in Attachment 1 do not constitute stand-alone compliance requirements,
but are criteria characterizing the level of impact and are referenced by requirements.
1. High Impact Rating (H)
Each BES Cyber System used by and located at any of the following:
1.1. Each Control Center or backup Control Center used to perform the functional
obligations of the Reliability Coordinator.
1.2. Each Control Center or backup Control Center used to perform the functional
obligations of the Balancing Authority: 1) for generation equal to or greater than an
aggregate of 3000 MW in a single Interconnection, or 2) for one or more of the assets
that meet criterion 2.3, 2.6, or 2.9.
1.3. Each Control Center or backup Control Center used to perform the functional
obligations of the Transmission Operator for one or more of the assets that meet
criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10.
1.4 Each Control Center or backup Control Center used to perform the functional
obligations of the Generator Operator for one or more of the assets that meet
criterion 2.1, 2.3, 2.6, or 2.9.
2. Medium Impact Rating (M)
Each BES Cyber System, not included in Section 1 above, associated with any of the following:
2.1. Commissioned generation, by each group of generating units at a single plant location,
with an aggregate highest rated net Real Power capability of the preceding 12
calendar months equal to or exceeding 1500 MW in a single Interconnection. For each
group of generating units, the only BES Cyber Systems that meet this criterion are
those shared BES Cyber Systems that could, within 15 minutes, adversely impact the
reliable operation of any combination of units that in aggregate equal or exceed 1500
MW in a single Interconnection.
2.2. Each BES reactive resource or group of resources at a single location (excluding
generation Facilities) with an aggregate maximum Reactive Power nameplate rating of
1000 MVAR or greater (excluding those at generation Facilities). The only BES Cyber
Systems that meet this criterion are those shared BES Cyber Systems that could,
within 15 minutes, adversely impact the reliable operation of any combination of
resources that in aggregate equal or exceed 1000 MVAR.
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 15 of 34
2.3. Each generation Facility that its Planning Coordinator or Transmission Planner
designates, and informs the Generator Owner or Generator Operator, as necessary to
avoid an Adverse Reliability Impact in the planning horizon of more than one year.
2.4. Transmission Facilities operated at 500 kV or higher. For the purpose of this criterion,
the collector bus for a generation plant is not considered a Transmission Facility, but is
part of the generation interconnection Facility.
2.5. Transmission Facilities that are operating between 200 kV and 499 kV at a single
station or substation, where the station or substation is connected at 200 kV or higher
voltages to three or more other Transmission stations or substations and has an
"aggregate weighted value" exceeding 3000 according to the table below. The
"aggregate weighted value" for a single station or substation is determined by
summing the "weight value per line" shown in the table below for each incoming and
each outgoing BES Transmission Line that is connected to another Transmission
station or substation. For the purpose of this criterion, the collector bus for a
generation plant is not considered a Transmission Facility, but is part of the generation
interconnection Facility.
2.6. Generation at a single plant location or Transmission Facilities at a single station or
substation location that are identified by its Reliability Coordinator, Planning
Coordinator, or Transmission Planner as critical to the derivation of Interconnection
Reliability Operating Limits (IROLs) and their associated contingencies.
2.7. Transmission Facilities identified as essential to meeting Nuclear Plant Interface
Requirements.
2.8. Transmission Facilities, including generation interconnection Facilities, providing the
generation interconnection required to connect generator output to the Transmission
Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable,
would result in the loss of the generation Facilities identified by any Generator Owner
as a result of its application of Attachment 1, criterion 2.1 or 2.3.
2.9. Each Special Protection System (SPS), Remedial Action Scheme (RAS), or automated
switching System that operates BES Elements, that, if destroyed, degraded, misused or
otherwise rendered unavailable, would cause one or more Interconnection Reliability
Operating Limits (IROLs) violations for failure to operate as designed or cause a
reduction in one or more IROLs if destroyed, degraded, misused, or otherwise
rendered unavailable.
Voltage Value of a Line Weight Value per Line
less than 200 kV (not applicable) (not applicable)
200 kV to 299 kV 700
300 kV to 499 kV 1300
500 kV and above 0
CIP-002-5 Cyber Security BES Cyber System Categorization
Page 16 of 34
2.10. Each system or group of Elements that performs automatic Load shedding under a
common control system, without human operator initiation, of 300 MW or more
implementing undervoltage load shedding (UVLS) or underfrequency load shedding
(UFLS) under a load shedding program that is subject to one or more requirements in
a NERC or regional reliability standard.
2.11. Each Control Center or backup Control Center, not already included in High Impact
Rating (H) above, used to perform the functional obligations of the Generator
Operator for an aggregate highest rated net Real Power capability of the preceding 12
calendar months equal to or exceeding 1500 MW in a single Interconnection.
2.12. Each Control Center or backup Control Center used to perform the functional
obligations of the Transmission Operator not included in High Impact Rating (H),
above.
2.13. Each Control Center or backup Control Center, not already included in High Impact
Rating (H) above, used to perform the functional obligations of the Balancing
Authority for generation equal to or greater than an aggregate of 1500 MW in a single
Interconnection.
3. Low Impact Rating (L)
BES Cyber Systems not included in Sections 1 or 2 above that are associated with any of the
following assets and that meet the applicability qualifications in Section 4 - Applicability, part
4.2 Facilities, of this standard:
3.1. Control Centers and backup Control Centers.
3.2. Transmission stations and substations.
3.3. Generation resources.
3.4. Systems and facilities critical to system restoration, including Blackstart Resources and
Cranking Paths and initial switching requirements.
3.5. Special Protection Systems that support the reliable operation of the Bulk Electric
System.
3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1
above.
Guidelines and Technical Basis
Page 17 of 34
Guidelines and Technical Basis
Section 4 Scope of Applicability of the CIP Cyber Security Standards
Section 4. Applicability of the standards provides important information for Responsible
Entities to determine the scope of the applicability of the CIP Cyber Security Requirements.
Section 4.1. Functional Entities is a list of NERC functional entities to which the standard
applies. If the entity is registered as one or more of the functional entities listed in section 4.1,
then the NERC CIP Cyber Security Standards apply. Note that there is a qualification in section
4.1 that restricts the applicability in the case of Distribution Providers to only those that own
certain types of systems and equipment listed in 4.2.
Section 4.2. Facilities defines the scope of the Facilities, systems, and equipment owned by
the Responsible Entity, as qualified in section 4.1, that is subject to the requirements of the
standard. In addition to the set of BES Facilities, Control Centers, and other systems and
equipment, the list includes the qualified set of systems and equipment owned by Distribution
Providers. While the NERC Glossary term Facilities already includes the BES characteristic, the
additional use of the term BES here is meant to reinforce the scope of applicability of these
Facilities where it is used, especially in this applicability scoping section. This in effect sets the
scope of Facilities, systems, and equipment that is subject to the standards. This section is
especially significant in CIP-002-5 and represents the total scope of Facilities, systems, and
equipment to which the criteria in Attachment 1 apply. This is important because it determines
the balance of these Facilities, systems, and equipment that are Low Impact once those that
qualify under the High and Medium Impact categories are filtered out.
For the purpose of identifying groups of Facilities, systems, and equipment, whether by location
or otherwise, the Responsible Entity identifies assets as described in Requirement R1 of CIP-
002-5. This is a process familiar to Responsible Entities that have to comply with versions 1, 2,
3, and 4 of the CIP standards for Critical Assets. As in versions 1, 2, 3, and 4, Responsible Entities
may use substations, generation plants, and Control Centers at single site locations as
identifiers of these groups of Facilities, systems, and equipment.
CIP-002-5
CIP-002-5 requires that applicable Responsible Entities categorize their BES Cyber Systems and
associated BES Cyber Assets according to the criteria in Attachment 1. A BES Cyber Asset
includes in its definition, that if rendered unavailable, degraded, or misused would, within 15
minutes adversely impact the reliable operation of the BES.
The following provides guidance that a Responsible Entity may use to identify the BES Cyber
Systems that would be in scope. The concept of BES reliability operating service is useful in
providing Responsible Entities with the option of a defined process for scoping those BES Cyber
Guidelines and Technical Basis
Page 18 of 34
Systems that would be subject to CIP-002-5. The concept includes a number of named BES
reliability operating services. These named services include:
Dynamic Response to BES conditions
Balancing Load and Generation
Controlling Frequency (Real Power)
Controlling Voltage (Reactive Power)
Managing Constraints
Monitoring & Control
Restoration of BES
Situational Awareness
Inter-Entity Real-Time Coordination and Communication
Responsibility for the reliable operation of the BES is spread across all Entity Registrations. Each
entity registration has its own special contribution to reliable operations and the following
discussion helps identify which entity registration, in the context of those functional entities to
which these CIP standards apply, performs which reliability operating service, as a process to
identify BES Cyber Systems that would be in scope. The following provides guidance for
Responsible Entities to determine applicable reliability operations services according to their
Function Registration type.
Entity Registration RC BA TOP TO DP GOP GO
Dynamic Response X X X X X X
Balancing Load &
Generation
X X X X X X X
Controlling Frequency X X X
Controlling Voltage X X X X
Managing Constraints X X X
Monitoring and Control X X
Restoration X X
Situation Awareness X X X X
Inter-Entity coordination X X X X X X
Dynamic Response
The Dynamic Response Operating Service includes those actions performed by BES Elements or
subsystems which are automatically triggered to initiate a response to a BES condition. These
actions are triggered by a single element or control device or a combination of these elements
or devices in concert to perform an action or cause a condition in reaction to the triggering
action or condition. The types of dynamic responses that may be considered as potentially
having an impact on the BES are:
Guidelines and Technical Basis
Page 19 of 34
Spinning reserves (contingency reserves)
Providing actual reserve generation when called upon (GO,GOP)
Monitoring that reserves are sufficient (BA)
Governor Response
Control system used to actuate governor response (GO)
Protection Systems (transmission & generation)
Lines, buses, transformers, generators (DP, TO, TOP, GO, GOP)
Zone protection for breaker failure (DP, TO, TOP)
Breaker protection (DP, TO, TOP)
Current, frequency, speed, phase (TO,TOP, GO,GOP)
Special Protection Systems or Remedial Action Schemes
Sensors, relays, and breakers, possibly software (DP, TO, TOP)
Under and Over Frequency relay protection (includes automatic load shedding)
Sensors, relays & breakers (DP)
Under and Over Voltage relay protection (includes automatic load shedding)
Sensors, relays & breakers (DP)
Power System Stabilizers (GO)
Balancing Load and Generation
The Balancing Load and Generation Operations Service includes activities, actions and
conditions necessary for monitoring and controlling generation and load in the operations
planning horizon and in real-time. Aspects of the Balancing Load and Generation function
include, but are not limited to:
Calculation of Area Control Error (ACE)
Field data sources (real time tie flows, frequency sources, time error, etc) (TO, TOP)
Software used to perform calculation (BA)
Demand Response
Ability to identify load change need (BA)
Ability to implement load changes (TOP,DP)
Manually Initiated Load shedding
Ability to identify load change need (BA)
Ability to implement load changes (TOP, DP)
Guidelines and Technical Basis
Page 20 of 34
Non-spinning reserve (contingency reserve)
Know generation status, capability, ramp rate, start time (GO, BA)
Start units and provide energy (GOP)
Controlling Frequency (Real Power)
The Controlling Frequency Operations Service includes activities, actions and conditions which
ensure, in real time, that frequency remains within bounds acceptable for the reliability or
operability of the BES. Aspects of the Controlling Frequency function include, but are limited
to:
Generation Control (such as AGC)
ACE, current generator output, ramp rate, unit characteristics (BA, GOP, GO)
Software to calculate unit adjustments (BA)
Transmit adjustments to individual units (GOP)
Unit controls implementing adjustments (GOP)
Regulation (regulating reserves)
Frequency source, schedule (BA)
Governor control system (GO)
Controlling Voltage (Reactive Power)
The Controlling Voltage Operations Service includes activities, actions and conditions which
ensure, in real time, that voltage remains within bounds acceptable for the reliability or
operability of the BES. Aspects of the Controlling Voltage function include, but are not limited
to:
Automatic Voltage Regulation (AVR)
Sensors, stator control system, feedback (GO)
Capacitive resources
Status, control (manual or auto), feedback (TOP, TO,DP)
Inductive resources (transformer tap changer, or inductors)
Status, control (manual or auto), feedback (TOP,TO,DP)
Static VAR Compensators (SVC)
Status, computations, control (manual or auto), feedback (TOP, TO,DP)
Guidelines and Technical Basis
Page 21 of 34
Managing Constraints
Managing Constraints includes activities, actions and conditions that are necessary to ensure
that elements of the BES operate within design limits and constraints established for the
reliability and operability of the BES. Aspects of the Managing Constraints include, but are not
limited to:
Available Transfer Capability (ATC) (TOP)
Interchange schedules (TOP, RC)
Generation re-dispatch and unit commit (GOP)
Identify and monitor SOLs & IROLs (TOP, RC)
Identify and monitor Flow gates (TOP, RC)
Monitoring and Control
Monitoring and Control includes those activities, actions and conditions that provide
monitoring and control of BES Elements. An example aspect of the Control and Operation
function is:
All methods of operating breakers and switches
SCADA (TOP, GOP)
Substation automation (TOP)
Restoration of BES
The Restoration of BES Operations Service includes activities, actions and conditions necessary
to go from a shutdown condition to an operating condition delivering electric power without
external assistance. Aspects of the Restoration of BES function include, but are not limited to:
Restoration including planned cranking path
Through black start units (TOP, GOP)
Through tie lines (TOP, GOP)
Off-site power for nuclear facilities. (TOP, TO, BA, RC, DP, GO, GOP)
Coordination (TOP, TO, BA, RC, DP, GO, GOP)
Situational Awareness
The Situational Awareness function includes activities, actions and conditions established by
policy, directive or standard operating procedure necessary to assess the current condition of
the BES and anticipate effects of planned and unplanned changes to conditions. Aspects of the
Situation Awareness function include:
Guidelines and Technical Basis
Page 22 of 34
Monitoring and alerting (such as EMS alarms) (TOP, GOP, RC,BA)
Change management (TOP,GOP,RC,BA)
Current Day and Next Day planning (TOP)
Contingency Analysis (RC)
Frequency monitoring (BA, RC)
Inter-Entity Coordination
The Inter-Entity coordination and communication function includes activities, actions, and
conditions established by policy, directive, or standard operating procedure necessary for the
coordination and communication between Responsible Entities to ensure the reliability and
operability of the BES. Aspects of the Inter-Entity Coordination and Communication function
include:
Scheduled interchange (BA,TOP,GOP,RC)
Facility operational data and status (TO, TOP, GO, GOP, RC, BA)
Operational directives (TOP, RC, BA)
Applicability to Distribution Providers
It is expected that only Distribution Providers that own or operate facilities that qualify in the
Applicability section will be subject to these Version 5 Cyber Security Standards. Distribution
Providers that do not own or operate any facility that qualifies are not subject to these
standards. The qualifications are based on the requirements for registration as a Distribution
Provider and on the requirements applicable to Distribution Providers in NERC Standard EOP-
005.
Requirement R1:
Requirement R1 implements the methodology for the categorization of BES Cyber Systems
according to their impact on the BES. Using the traditional risk assessment equation, it reduces
the measure of the risk to an impact (consequence) assessment, assuming the vulnerability
index of 1 (the Systems are assumed to be vulnerable) and a probability of threat of 1 (100
percent). The criteria in Attachment 1 provide a measure of the impact of the BES assets
supported by these BES Cyber Systems.
Responsible Entities are required to identify and categorize those BES Cyber Systems that have
high and medium impact. BES Cyber Systems for BES assets not specified in Attachment 1,
Criteria 1.1 1.4 and Criteria 2.1 2.11 default to low impact.
Guidelines and Technical Basis
Page 23 of 34
Attachment 1
Overall Application
In the application of the criteria in Attachment 1, Responsible Entities should note that the
approach used is based on the impact of the BES Cyber System as measured by the bright-line
criteria defined in Attachment 1.
When the drafting team uses the term Facilities, there is some latitude to Responsible
Entities to determine included Facilities. The term Facility is defined in the NERC Glossary of
Terms as A set of electrical equipment that operates as a single Bulk Electric System
Element (e.g., a line, a generator, a shunt compensator, transformer, etc.). In most cases,
the criteria refer to a group of Facilities in a given location that supports the reliable
operation of the BES. For example, for Transmission assets, the substation may be
designated as the group of Facilities. However, in a substation that includes equipment that
supports BES operations along with equipment that only supports Distribution operations,
the Responsible Entity may be better served to consider only the group of Facilities that
supports BES operation. In that case, the Responsible Entity may designate the group of
Facilities by location, with qualifications on the group of Facilities that supports reliable
operation of the BES, as the Facilities that are subject to the criteria for categorization of
BES Cyber Systems. Generation Facilities are separately discussed in the Generation section
below. In CIP-002-5, these groups of Facilities, systems, and equipment are sometimes
designated as BES assets. For example, an identified BES asset may be a named substation,
generating plant, or Control Center. Responsible Entities have flexibility in how they group
Facilities, systems, and equipment at a location.
In certain cases, a BES Cyber System may be categorized by meeting multiple criteria. In
such cases, the Responsible Entity may choose to document all criteria that result in the
categorization. This will avoid inadvertent miscategorization when it no longer meets one
of the criteria, but still meets another.
It is recommended that each BES Cyber System should be listed by only one Responsible
Entity. Where there is joint ownership, it is advisable that the owning Responsible Entities
should formally agree on the designated Responsible Entity responsible for compliance with
the standards.
This category includes those BES Cyber Systems, used by and at Control Centers (and the
associated data centers included in the definition of Control Centers), that perform the
functional obligations of the Reliability Coordinator (RC), Balancing Authority (BA), Transmission
Operator (TOP), or Generator Operator (GOP), as defined under the Tasks heading of the
applicable Function and the Relationship with Other Entities heading of the functional entity in
the NERC Functional Model, and as scoped by the qualification in Attachment 1, Criteria 1.1,
1.2, 1.3 and 1.4. While those entities that have been registered as the above-named functional
entities are specifically referenced, it must be noted that there may be agreements where some
High Impact Rating (H)
Guidelines and Technical Basis
Page 24 of 34
of the functional obligations of a Transmission Operator may be delegated to a Transmission
Owner (TO). In these cases, BES Cyber Systems at these TO Control Centers that perform these
functional obligations would be subject to categorization as high impact. The criteria notably
specifically emphasize functional obligations, not necessarily the RC, BA, TOP, or GOP facilities.
One must note that the definition of Control Center specifically refers to reliability tasks for RCs,
BAs, TOPs, and GOPs. A TO BES Cyber System in a TO facility that does not perform or does not
have an agreement with a TOP to perform any of these functional tasks does not meet the
definition of a Control Center. However, if that BES Cyber System operates any of the facilities
that meet criteria in the Medium Impact category, that BES Cyber System would be categorized
as a Medium Impact BES Cyber System.
The 3000 MW threshold defined in criterion 1.2 for BA Control Centers provides a sufficient
differentiation of the threshold defined for Medium Impact BA Control Centers. An analysis of
BA footprints shows that the majority of BAs with significant impact are covered under this
criterion.
Additional thresholds as specified in the criteria apply for this category.
Generation
Medium Impact Rating (M)
The criteria in Attachment 1s medium impact category that generally apply to Generation
Owner and Operator (GO/GOP) Registered Entities are criteria 2.1, 2.3, 2.6, 2.9, and 2.11.
Criterion 2.13 for BA Control Centers is also included here.
Criterion 2.1 designates as medium impact those BES Cyber Systems that impact generation
with a net Real Power capability exceeding 1500 MW. The 1500 MW criterion is sourced
partly from the Contingency Reserve requirements in NERC standard BAL-002, whose
purpose is to ensure the Balancing Authority is able to utilize its Contingency Reserve to
balance resources and demand and return Interconnection frequency within defined limits
following a Reportable Disturbance. In particular, it requires that as a minimum, the
Balancing Authority or Reserve Sharing Group shall carry at least enough Contingency
Reserve to cover the most severe single contingency. The drafting team used 1500 MW as
a number derived from the most significant Contingency Reserves operated in various BAs
in all regions.
In the use of net Real Power capability, the drafting team sought to use a value that could
be verified through existing requirements as proposed by NERC standard MOD-024 and
current development efforts in that area.
By using 1500 MW as a bright-line, the intent of the drafting team was to ensure that BES
Cyber Systems with common mode vulnerabilities that could result in the loss of 1500 MW
or more of generation at a single plant for a unit or group of units are adequately protected.
Guidelines and Technical Basis
Page 25 of 34
The drafting team also used additional time and value parameters to ensure the bright-lines
and the values used to measure against them were relatively stable over the review period.
Hence, where multiple values of net Real Power capability could be used for the Facilities
qualification against these bright-lines, the highest value was used.
In Criterion 2.3, the drafting team sought to ensure that BES Cyber Systems for those
generation Facilities that have been designated by the Planning Coordinator or
Transmission Planner as necessary to avoid BES Adverse Reliability Impacts in the planning
horizon of one year or more are categorized as medium impact. In specifying a planning
horizon of one year or more, the intent is to ensure that those are units that are identified
as a result of a long term reliability planning, i.e that the plans are spanning an operating
period of at least 12 months: it does not mean that the operating day for the unit is
necessarily beyond one year, but that the period that is being planned for is more than 1
year: it is specifically intended to avoid designating generation that is required to be run to
remediate short term emergency reliability issues. These Facilities may be designated as
Reliability Must Run, and this designation is distinct from those generation Facilities
designated as must run for market stabilization purposes. Because the use of the term
must run creates some confusion in many areas, the drafting team chose to avoid using
this term and instead drafted the requirement in more generic reliability language. In
particular, the focus on preventing an Adverse Reliability Impact dictates that these units
are designated as must run for reliability purposes beyond the local area. Those units
designated as must run for voltage support in the local area would not generally be given
this designation. In cases where there is no designated Planning Coordinator, the
Transmission Planner is included as the Registered Entity that performs this designation.
If it is determined through System studies that a unit must run in order to preserve the
reliability of the BES, such as due to a Category C3 contingency as defined in TPL-003, then
BES Cyber Systems for that unit are categorized as medium impact.
The TPL standards require that, where the studies and plans indicate additional actions, that
these studies and plans be communicated by the Planning Coordinator or Transmission
Planner in writing to the Regional Entity/RRO. Actions necessary for the implementation of
these plans by affected parties (generation owners/operators and Reliability Coordinators
or other necessary party) are usually formalized in the form of an agreement and/or
contract.
Criterion 2.6 includes BES Cyber Systems for those Generation Facilities that have been
identified as critical to the derivation of IROLs and their associated contingencies, as
specified by FAC-014-2, Establish and Communicate System Operating Limits, R5.1.1 and
R5.1.3.
IROLs may be based on dynamic System phenomena such as instability or voltage collapse.
Derivation of these IROLs and their associated contingencies often considers the effect of
generation inertia and AVR response.
Guidelines and Technical Basis
Page 26 of 34
Criterion 2.9 categorizes BES Cyber Systems for Special Protection Systems and Remedial
Action Schemes as medium impact. Special Protection Systems and Remedial Action
Schemes may be implemented to prevent disturbances that would result in exceeding IROLs
if they do not provide the function required at the time it is required or if it operates
outside of the parameters it was designed for. Generation Owners and Generator Operators
which own BES Cyber Systems for such Systems and schemes designate them as medium
impact.
Criterion 2.11 categorizes as medium impact BES Cyber Systems used by and at Control
Centers that perform the functional obligations of the Generator Operator for an aggregate
generation of 1500 MW or higher in a single interconnection, and that have not already
been included in Part 1. .
Criterion 2.13 categorizes as medium impact those BA Control Centers that control 1500
MW of generation or more in a single interconnection and that have not already been
included in Part 1. The 1500 MW threshold is consistent with the impact level and rationale
specified for Criterion 2.1.
Transmission
The SDT uses the phrases Transmission Facilities at a single station or substation and
Transmission stations or substations to recognize the existence of both stations and
substations. Many entities in industry consider a substation to be a location with physical
borders (i.e. fence, wall, etc.) that contains at least an autotransformer. Locations also exist
that do not contain autotransformers, and many entities in industry refer to those locations as
stations (or switchyards). Therefore, the SDT chose to use both station and substation to
refer to the locations where groups of Transmission Facilities exist.
Criteria 2.2, 2.4 through 2.10, and 2.12 in Attachment 1 are the criteria that are applicable
to Transmission Owners and Operators. In many of the criteria, the impact threshold is
defined as the capability of the failure or compromise of a System to result in exceeding one
or more Interconnection Reliability Operating Limits (IROLs). Criterion 2.2 includes BES
Cyber Systems for those Facilities in Transmission Systems that provide reactive resources
to enhance and preserve the reliability of the BES. The nameplate value is used here
because there is no NERC requirement to verify actual capability of these Facilities. The
value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose of
determining criticality.
Criterion 2.4 includes BES Cyber Systems for any Transmission Facility at a substation
operated at 500 kV or higher. While the drafting team felt that Facilities operated at 500 kV
or higher did not require any further qualification for their role as components of the
Guidelines and Technical Basis
Page 27 of 34
backbone on the Interconnected BES, Facilities in the lower EHV range should have
additional qualifying criteria for inclusion in the medium impact category.
It must be noted that if the collector bus for a generation plant (i.e. the plant is smaller in
aggregate than the threshold set for generation in Criterion 2.1) is operated at 500kV, the
collector bus should be considered a Generation Interconnection Facility, and not a
Transmission Facility, according to the Final Report from the Ad Hoc Group for Generation
Requirements at the Transmission Interface. This collector bus would not be a facility for a
medium impact BES Cyber System because it does not significantly affect the 500kV
Transmission grid; it only affects a plant which is below the generation threshold.
Criterion 2.5 includes BES Cyber Systems for facilities at the lower end of BES Transmission
with qualifications for inclusion if they are deemed highly likely to have significant impact
on the BES. While the criterion has been specified as part of the rationale for requiring
protection for significant impact on the BES, the drafting team included, in this criterion,
additional qualifications that would ensure the required level of impact to the BES. The
drafting team:
Excluded radial facilities that would only provide support for single generation
facilities.
Specified interconnection to at least three transmission stations or substations to
ensure that the level of impact would be appropriate.
The total aggregated weighted value of 3,000 was derived from weighted values related to
three connected 345 kV lines and five connected 230 kV lines at a transmission station or
substation. The total aggregated weighted value is used to account for the true impact to
the BES, irrespective of line kV rating and mix of multiple kV rated lines.
Additionally, in NERCs document Integrated Risk Assessment Approach Refinement to
Severity Risk Index, Attachment 1, the report used an average MVA line loading based on
kV rating:
230 kV > 700 MVA
345 kV > 1,300 MVA
500 kV > 2,000 MVA
765 kV > 3,000 MVA
In the terms of applicable lines and connecting other Transmission stations or substations
determinations, the following should be considered:
For autotransformers in a station, Responsible Entities have flexibility in determining
whether the groups of Facilities are considered a single substation or station
location or multiple substations or stations. In most cases, Responsible Entities
Guidelines and Technical Basis
Page 28 of 34
would probably consider them as Facilities at a single substation or station unless
geographically dispersed. In these cases of these transformers being within the
fence of the substation or station, autotransformers may not count as separate
connections to other stations. The use of common BES Cyber Systems may negate
any rationale for any consideration otherwise. In the case of autotransformers that
are geographically dispersed from a station location, the calculation would take into
account the connections in and out of each station or substation location.
Multiple-point (or multiple-tap) lines are considered to contribute a single weight
value per line and affect the number of connections to other stations. Therefore, a
single 230 kV multiple-point line between three Transmission stations or substations
would contribute an aggregated weighted value of 700 and connect Transmission
Facilities at a single station or substation to two other Transmission stations or
substations.
Multiple lines between two Transmission stations or substations are considered to
contribute multiple weight values per line, but these multiple lines between the two
stations only connect one station to one other station. Therefore, two 345 kV lines
between two Transmission stations or substations would contribute an aggregated
weighted value of 2600 and connect Transmission Facilities at a single station or
substation to one other Transmission station or substation.
Criterion 2.5s qualification for Transmission Facilities at a Transmission station or
substation is based on 2 distinct conditions.
1. The first condition is that Transmission Facilities at a single station or substation
where that station or substation connect, at voltage levels of 200 kV or higher
to three (3) other stations or substations, to three other stations or substations.
This qualification is meant to ensure that connections that operate at voltages
of 500 kV or higher are included in the count of connections to other stations or
substations as well.
2. The second qualification is that the aggregate value of all lines entering or
leaving the station or substation must exceed 3000. This qualification does not
include the consideration of lines operating at lower than 200 kV, or 500 kV or
higher, the latter already qualifying as medium impact under criterion 2.4. :
there is no value to be assigned to lines at voltages of less than 200 kV or 500 kV
or higher in the table of values for the contribution to the aggregate value of
3000.
The Transmission Facilities at the station or substation must meet both qualifications to be
considered as qualified under criterion 2.5.
Criterion 2.6 include BES Cyber Systems for those Transmission Facilities that have been
identified as critical to the derivation of IROLs and their associated contingencies, as
Guidelines and Technical Basis
Page 29 of 34
specified by FAC-014-2, Establish and Communicate System Operating Limits, R5.1.1 and
R5.1.3.
Criterion 2.7 is sourced from the NUC-001 NERC standard, Requirement R9.2.2, for the
support of Nuclear Facilities. NUC-001 ensures that reliability of NPIRs are ensured through
adequate coordination between the Nuclear Generator Owner/Operator and its
Transmission provider for the purpose of ensuring nuclear plant safe operation and
shutdown. In particular, there are specific requirements to coordinate physical and cyber
security protection of these interfaces.
Criterion 2.8 designates as medium impact those BES Cyber Systems that impact
Transmission Facilities necessary to directly support generation that meet the criteria in
Criteria 2.1 (generation Facilities with output greater than 1500 MW) and 2.3 (generation
Facilities generally designated as must run for wide area reliability in the planning
horizon). The Responsible Entity can request a formal statement from the Generation
owner as to the qualification of generation Facilities connected to their Transmission
systems.
Criterion 2.9 designates as medium impact those BES Cyber Systems for those Special
Protection Systems (SPS), Remedial Action Schemes (RAS), or automated switching Systems
installed to ensure BES operation within IROLs. The degradation, compromise or
unavailability of these BES Cyber Systems would result in exceeding IROLs if they fail to
operate as designed. By the definition of IROL, the loss or compromise of any of these have
Wide Area impacts.
Criterion 2.10 designates as medium impact those BES Cyber Systems for Systems or
Elements that perform automatic Load shedding, without human operator initiation, of 300
MW or more. The SDT spent considerable time discussing the wording of Criterion 2.10,
and chose the term Each to represent that the criterion applied to a discrete System or
Facility. In the drafting of this criterion, the drafting team sought to include only those
Systems that did not require human operator initiation, and targeted in particular those
underfrequency load shedding (UFLS) Facilities and systems and undervoltage load
shedding (UVLS) systems and Elements that would be subject to a regional Load shedding
requirement to prevent Adverse Reliability Impact. These include automated UFLS systems
or UVLS systems that are capable of Load shedding 300 MW or more. It should be noted
that those qualifying systems which require a human operator to arm the system, but once
armed, trigger automatically, are still to be considered as not requiring human operator
initiation and should be designated as medium impact. The 300 MW threshold has been
defined as the aggregate of the highest MW Load value, as defined by the applicable
regional Load Shedding standards, for the preceding 12 months to account for seasonal
fluctuations.
This particular threshold (300 MW) was provided in CIP, Version 1. The SDT believes that
the threshold should be lower than the 1500MW generation requirement since it is
specifically addressing UVLS and UFLS, which are last ditch efforts to save the Bulk Electric
Guidelines and Technical Basis
Page 30 of 34
System and hence requires a lower threshold. A review of UFLS tolerances defined within
regional reliability standards for UFLS program requirements to date indicates that the
historical value of 300 MW represents an adequate and reasonable threshold value for
allowable UFLS operational tolerances.
In ERCOT, the Load acting as a Resource (LaaR) Demand Response Program is not part of
the regional load shedding program, but an ancillary services market. In general, similar
demand response programs that are not part of the NERC or regional reliability Load
shedding programs, but are offered as components of an ancillary services market do not
qualify under this criterion.
The language used in section 4 for UVLS and UFLS and in criterion 2.10 of Attachment 1 is
designed to be consistent with requirements set in the PRC standards for UFLS and UVLS.
Criterion 2.12 categorizes as medium impact those BES Cyber Systems used by and at
Control Centers and associated data centers performing the functional obligations of a
Transmission Operator and that have not already been categorized as high impact.
Criterion 2.13 categorizes as Medium Impact those BA Control Centers that control 1500
MW of generation or more in a single Interconnection. The 1500 MW threshold is
consistent with the impact level and rationale specified for Criterion 2.1.
BES Cyber Systems not categorized in high impact or medium impact default to low impact.
Note that low impact BES Cyber Systems do not require discrete identification.
Low Impact Rating (L)
Restoration Facilities
Several discussions on the CIP Version 5 standards suggest entities owning Blackstart
Resources and Cranking Paths might elect to remove those services to avoid higher
compliance costs. For example, one Reliability Coordinator reported a 25% reduction of
Blackstart Resources as a result of the Version 1 language, and there could be more entities
that make this choice under Version 5.
In response, the CIP Version 5 drafting team sought informal input from NERCs Operating
and Planning Committees. The committees indicate there has already been a reduction in
Blackstart Resources because of increased CIP compliance costs, environmental rules, and
other risks; continued inclusion within Version 5 at a category that would very significantly
increase compliance costs can result in further reduction of a vulnerable pool.
The drafting team moved from the categorization of restoration assets such as Blackstart
Resources and Cranking Paths as medium impact (as was the case in earlier drafts) to
categorization of these assets as low impact as a result of these considerations. This will
not relieve asset owners of all responsibilities, as would have been the case in CIP-002,
Versions 1-4 (since only Cyber Assets with routable connectivity which are essential to
Guidelines and Technical Basis
Page 31 of 34
restoration assets are included in those versions). Under the low impact categorization,
those assets will be protected in the areas of cyber security awareness, physical access
control, and electronic access control, and they will have obligations regarding incident
response. This represents a net gain to bulk power system reliability, however, since many
of those assets do not meet criteria for inclusion under Versions 1-4.
Weighing the risks to overall BES reliability, the drafting team determined that this re-
categorization represents the option that would be the least detrimental to restoration
function and, thus, overall BES reliability. Removing Blackstart Resources and Cranking
Paths from medium impact promotes overall reliability, as the likely alternative is fewer
Blackstart Resources supporting timely restoration when needed.
BES Cyber Systems for generation resources that have been designated as Blackstart
Resources in the Transmission Operators restoration plan default to low impact. NERC
Standard EOP-005-2 requires the Transmission Operator to have a Restoration Plan and to
list its Blackstart Resources in its plan, as well as requirements to test these Resources. This
criterion designates only those generation Blackstart Resources that have been designated
as such in the Transmission Operators restoration plan. The glossary term Blackstart
Capability Plan has been retired.
Regarding concerns of communication to BES Asset Owners and Operators of their role in
the Restoration Plan, Transmission Operators are required in NERC Standard EOP-005-2 to
provide the entities identified in its approved restoration plan with a description of any
changes to their roles and specific tasks prior to the implementation date of the plan.
BES Cyber Systems for Facilities and Elements comprising the Cranking Paths and meeting
the initial switching requirements from the Blackstart Resource to the first Interconnection
point of the generation unit(s) to be started, as identified in the Transmission Operator's
restoration plan, default to the category of low impact: however, these systems are
explicitly called out to ensure consideration for inclusion in the scope of the version 5 CIP
standards. This requirement for inclusion in the scope is sourced from requirements in
NERC standard EOP-005-2, which requires the Transmission Operator to include in its
Restoration Plan the Cranking Paths and initial switching requirements from the Blackstart
Resource and the unit(s) to be started.
Distribution Providers may note that they may have BES Cyber Systems that must be scoped
in if they have Elements listed in the Transmission Operators Restoration Plan that are
components of the Cranking Path.
Guidelines and Technical Basis
Page 32 of 34
Use Case: CIP Process Flow
The following CIP use case process flow for a generator Operator/Owner was provided by a
participant in the development of the Version 5 standards and is provided here as an example
of a process used to identify and categorize BES Cyber Systems and BES Cyber Assets; review,
develop, and implement strategies to mitigate overall risks; and apply applicable security
controls.
Guidelines and Technical Basis
Page 33 of 34
Rationale:
During development of this standard, text boxes were embedded within the standard to explain
the rationale for various parts of the standard. Upon BOT approval, the text from the rationale
text boxes was moved to this section.
Rationale for R1:
BES Cyber Systems at each site location have varying impact on the reliable operation of the
Bulk Electric System. Attachment 1 provides a set of bright-line criteria that the Responsible
Entity must use to identify these BES Cyber Systems in accordance with the impact on the BES.
BES Cyber Systems must be identified and categorized according to their impact so that the
appropriate measures can be applied, commensurate with their impact. These impact
categories will be the basis for the application of appropriate requirements in CIP-003-CIP-011.
Rationale for R2:
The lists required by Requirement R1 are reviewed on a periodic basis to ensure that all BES
Cyber Systems required to be categorized have been properly identified and categorized. The
miscategorization or non-categorization of a BES Cyber System can lead to the application of
inadequate or non-existent cyber security controls that can lead to compromise or misuse that
can affect the real-time operation of the BES. The CIP Senior Managers approval ensures
proper oversight of the process by the appropriate Responsible Entity personnel.
Version History
Version Date Action Change Tracking
1 1/16/06
R3.2 Change Control Center to
control center.
3/24/06
2 9/30/09 Modifications to clarify the
requirements and to bring the
compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business
judgment.
Replaced the RRO with the RE as a
Responsible Entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authority.
3 12/16/09 Updated version number from -2 to -3. Update
Guidelines and Technical Basis
Page 34 of 34
Approved by the NERC Board of
Trustees.
3 3/31/10 Approved by FERC.
4 12/30/10 Modified to add specific criteria for
Critical Asset identification.
Update
4 1/24/11 Approved by the NERC Board of
Trustees.
Update
5 11/26/12 Adopted by the NERC Board of
Trustees.
Modified to
coordinate with
other CIP
standards and to
revise format to
use RBS
Template.
Standard CIP0033 Cyber Security Security Management Controls
1
A. Introduction
1. Title: Cyber Security Security Management Controls
2. Number: CIP-003-3
3. Purpose: Standard CIP-003-3 requires that Responsible Entities have minimum security
management controls in place to protect Critical Cyber Assets. Standard CIP-003-3 should be
read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.
4. Applicability:
4.1. Within the text of Standard CIP-003-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-003-3:
4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 Responsible Entities that, in compliance with Standard CIP-002-3, identify that
they have no Critical Cyber Assets shall only be required to comply with CIP-
003-3 Requirement R2.
5. Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required).
B. Requirements
R1. Cyber Security Policy The Responsible Entity shall document and implement a cyber
security policy that represents managements commitment and ability to secure its Critical
Cyber Assets. The Responsible Entity shall, at minimum, ensure the following:
R1.1. The cyber security policy addresses the requirements in Standards CIP-002-3 through
CIP-009-3, including provision for emergency situations.
Standard CIP0033 Cyber Security Security Management Controls
2
R1.2. The cyber security policy is readily available to all personnel who have access to, or are
responsible for, Critical Cyber Assets. (Retirement approved by NERC BOT pending
applicable regulatory approval.)
R1.3. Annual review and approval of the cyber security policy by the senior manager
assigned pursuant to R2.
R2. Leadership The Responsible Entity shall assign a single senior manager with overall
responsibility and authority for leading and managing the entitys implementation of, and
adherence to, Standards CIP-002-3 through CIP-009-3.
R2.1. The senior manager shall be identified by name, title, and date of designation.
R2.2. Changes to the senior manager must be documented within thirty calendar days of the
effective date.
R2.3. Where allowed by Standards CIP-002-3 through CIP-009-3, the senior manager may
delegate authority for specific actions to a named delegate or delegates. These
delegations shall be documented in the same manner as R2.1 and R2.2, and approved
by the senior manager.
R2.4. The senior manager or delegate(s), shall authorize and document any exception from
the requirements of the cyber security policy.
R3. Exceptions Instances where the Responsible Entity cannot conform to its cyber security
policy must be documented as exceptions and authorized by the senior manager or delegate(s).
(Retirement approved by NERC BOT pending applicable regulatory approval.)
R3.1. Exceptions to the Responsible Entitys cyber security policy must be documented
within thirty days of being approved by the senior manager or delegate(s).
(Retirement approved by NERC BOT pending applicable regulatory approval.)
R3.2. Documented exceptions to the cyber security policy must include an explanation as to
why the exception is necessary and any compensating measures. (Retirement
approved by NERC BOT pending applicable regulatory approval.)
R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved
annually by the senior manager or delegate(s) to ensure the exceptions are still
required and valid. Such review and approval shall be documented. (Retirement
approved by NERC BOT pending applicable regulatory approval.)
R4. Information Protection The Responsible Entity shall implement and document a program to
identify, classify, and protect information associated with Critical Cyber Assets.
R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and
regardless of media type, operational procedures, lists as required in Standard CIP-
002-3, network topology or similar diagrams, floor plans of computing centers that
contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster
recovery plans, incident response plans, and security configuration information.
R4.2. The Responsible Entity shall classify information to be protected under this program
based on the sensitivity of the Critical Cyber Asset information. (Retirement
approved by NERC BOT pending applicable regulatory approval.)
R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber
Asset information protection program, document the assessment results, and
implement an action plan to remediate deficiencies identified during the assessment.
Standard CIP0033 Cyber Security Security Management Controls
3
R5. Access Control The Responsible Entity shall document and implement a program for
managing access to protected Critical Cyber Asset information.
R5.1. The Responsible Entity shall maintain a list of designated personnel who are
responsible for authorizing logical or physical access to protected information.
R5.1.1. Personnel shall be identified by name, title, and the information for which
they are responsible for authorizing access.
R5.1.2. The list of personnel responsible for authorizing access to protected
information shall be verified at least annually.
R5.2. The Responsible Entity shall review at least annually the access privileges to protected
information to confirm that access privileges are correct and that they correspond with
the Responsible Entitys needs and appropriate personnel roles and responsibilities.
R5.3. The Responsible Entity shall assess and document at least annually the processes for
controlling access privileges to protected information.
R6. Change Control and Configuration Management The Responsible Entity shall establish and
document a process of change control and configuration management for adding, modifying,
replacing, or removing Critical Cyber Asset hardware or software, and implement supporting
configuration management activities to identify, control and document all entity or vendor-
related changes to hardware and software components of Critical Cyber Assets pursuant to the
change control process.
C. Measures
M1. The Responsible Entity shall make available documentation of its cyber security policy as
specified in Requirement R1. Additionally, the Responsible Entity shall demonstrate that the
cyber security policy is available as specified in Requirement R1.2. (Retirement of R1.2
approved by NERC BOT pending applicable regulatory approval.)
M2. The Responsible Entity shall make available documentation of the assignment of, and changes
to, its leadership as specified in Requirement R2.
M3. The Responsible Entity shall make available documentation of the exceptions, as specified in
Requirement R3. (Retirement approved by NERC BOT pending applicable regulatory
approval.)
M4. The Responsible Entity shall make available documentation of its information protection
program as specified in Requirement R4.
M5. The Responsible Entity shall make available its access control documentation as specified in
Requirement R5.
M6. The Responsible Entity shall make available its change control and configuration management
documentation as specified in Requirement R6.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2 ERO for Regional Entity.
Standard CIP0033 Cyber Security Security Management Controls
4
1.1.3 Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep all documentation and records from the
previous full calendar year unless directed by its Compliance Enforcement
Authority to retain specific evidence for a longer period of time as part of an
investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
1.5.1 None
2. Violation Severity Levels (To be developed later.)
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
2 Modifications to clarify the requirements and to bring the
compliance elements into conformance with the latest
guidelines for developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a responsible entity.
Rewording of Effective Date.
Requirement R2 applies to all Responsible Entities,
including Responsible Entities which have no Critical
Cyber Assets.
Modified the personnel identification information
requirements in R5.1.1 to include name, title, and the
information for which they are responsible for
authorizing access (removed the business phone
Standard CIP0033 Cyber Security Security Management Controls
5
information).
Changed compliance monitor to Compliance
Enforcement Authority.
3 Update version number from -2 to -3
3 12/16/09 Adopted by the NERC Board of Trustees Update
3 3/31/10 Approved by FERC
3 2/7/13 R1.2, R3, R3.1, R3.2, R3.3, and R4.2 and associated
elements approved by NERC Board of Trustees for
retirement as part of the Paragraph 81 project (Project
2013-02) pending applicable regulatory approval.
Standard CIP0034 Cyber Security Security Management Controls
1
A. Introduction
1. Title: Cyber Security Security Management Controls
2. Number: CIP-003-4
3. Purpose: Standard CIP-003-4 requires that Responsible Entities have minimum security
management controls in place to protect Critical Cyber Assets. Standard CIP-003-4 should be
read as part of a group of standards numbered Standards CIP-002-4 through CIP-009-4.
4. Applicability:
4.1. Within the text of Standard CIP-003-4, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-003-4:
4.2.1 Facilities regulated by the Canadian Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 In nuclear plants, the systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan pursuant to 10
C.F. R. Section 73.54
4.2.4 Responsible Entities that, in compliance with Standard CIP-002-4, identify that
they have no Critical Cyber Assets shall only be required to comply with CIP-
003-4 Requirement R2.
5. Effective Date: The first day of the eighth calendar quarter after applicable regulatory
approvals have been received (or the Reliability Standard otherwise becomes effective the first
day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory
approval is not required).
B. Requirements
R1. Cyber Security Policy The Responsible Entity shall document and implement a cyber
security policy that represents managements commitment and ability to secure its Critical
Cyber Assets. The Responsible Entity shall, at minimum, ensure the following:
Standard CIP0034 Cyber Security Security Management Controls
2
R1.1. The cyber security policy addresses the requirements in Standards CIP-002-4 through
CIP-009-4, including provision for emergency situations.
R1.2. The cyber security policy is readily available to all personnel who have access to, or are
responsible for, Critical Cyber Assets. (Retirement approved by NERC BOT pending
applicable regulatory approval.)
R1.3. Annual review and approval of the cyber security policy by the senior manager
assigned pursuant to R2.
R2. Leadership The Responsible Entity shall assign a single senior manager with overall
responsibility and authority for leading and managing the entitys implementation of, and
adherence to, Standards CIP-002-4 through CIP-009-4.
R2.1. The senior manager shall be identified by name, title, and date of designation.
R2.2. Changes to the senior manager must be documented within thirty calendar days of the
effective date.
R2.3. Where allowed by Standards CIP-002-4 through CIP-009-4, the senior manager may
delegate authority for specific actions to a named delegate or delegates. These
delegations shall be documented in the same manner as R2.1 and R2.2, and approved
by the senior manager.
R2.4. The senior manager or delegate(s), shall authorize and document any exception from
the requirements of the cyber security policy.
R3. Exceptions Instances where the Responsible Entity cannot conform to its cyber security
policy must be documented as exceptions and authorized by the senior manager or delegate(s).
(Retirement approved by NERC BOT pending applicable regulatory approval.)
R3.1. Exceptions to the Responsible Entitys cyber security policy must be documented
within thirty days of being approved by the senior manager or delegate(s).
(Retirement approved by NERC BOT pending applicable regulatory approval.)
R3.2. Documented exceptions to the cyber security policy must include an explanation as to
why the exception is necessary and any compensating measures. (Retirement
approved by NERC BOT pending applicable regulatory approval.)
R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved
annually by the senior manager or delegate(s) to ensure the exceptions are still
required and valid. Such review and approval shall be documented. (Retirement
approved by NERC BOT pending applicable regulatory approval.)
R4. Information Protection The Responsible Entity shall implement and document a program to
identify, classify, and protect information associated with Critical Cyber Assets.
R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and
regardless of media type, operational procedures, lists as required in Standard CIP-
002-4, network topology or similar diagrams, floor plans of computing centers that
contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster
recovery plans, incident response plans, and security configuration information.
R4.2. The Responsible Entity shall classify information to be protected under this program
based on the sensitivity of the Critical Cyber Asset information. (Retirement
approved by NERC BOT pending applicable regulatory approval.)
Standard CIP0034 Cyber Security Security Management Controls
3
R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber
Asset information protection program, document the assessment results, and
implement an action plan to remediate deficiencies identified during the assessment.
R5. Access Control The Responsible Entity shall document and implement a program for
managing access to protected Critical Cyber Asset information.
R5.1. The Responsible Entity shall maintain a list of designated personnel who are
responsible for authorizing logical or physical access to protected information.
R5.1.1. Personnel shall be identified by name, title, and the information for which
they are responsible for authorizing access.
R5.1.2. The list of personnel responsible for authorizing access to protected
information shall be verified at least annually.
R5.2. The Responsible Entity shall review at least annually the access privileges to protected
information to confirm that access privileges are correct and that they correspond with
the Responsible Entitys needs and appropriate personnel roles and responsibilities.
R5.3. The Responsible Entity shall assess and document at least annually the processes for
controlling access privileges to protected information.
R6. Change Control and Configuration Management The Responsible Entity shall establish and
document a process of change control and configuration management for adding, modifying,
replacing, or removing Critical Cyber Asset hardware or software, and implement supporting
configuration management activities to identify, control and document all entity or vendor-
related changes to hardware and software components of Critical Cyber Assets pursuant to the
change control process.
C. Measures
M1. The Responsible Entity shall make available documentation of its cyber security policy as
specified in Requirement R1. Additionally, the Responsible Entity shall demonstrate that the
cyber security policy is available as specified in Requirement R1.2. (Retirement of R1.2
approved by NERC BOT pending applicable regulatory approval.)
M2. The Responsible Entity shall make available documentation of the assignment of, and changes
to, its leadership as specified in Requirement R2.
M3. The Responsible Entity shall make available documentation of the exceptions, as specified in
Requirement R3. (Retirement approved by NERC BOT pending applicable regulatory
approval.)
M4. The Responsible Entity shall make available documentation of its information protection
program as specified in Requirement R4.
M5. The Responsible Entity shall make available its access control documentation as specified in
Requirement R5.
M6. The Responsible Entity shall make available its change control and configuration management
documentation as specified in Requirement R6.
Standard CIP0034 Cyber Security Security Management Controls
4
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.2. The RE shall serve as the CEA with the following exceptions:
1.2.1 For entities that do not work for the Regional Entity, the Regional Entity shall
serve as the Compliance Enforcement Authority.
1.2.2 For Reliability Coordinators and other functional entities that work for their
Regional Entity, the ERO shall serve as the Compliance Enforcement Authority.
1.2.3 For Responsible Entities that are also Regional Entities, the ERO or a Regional
Entity approved by the ERO and FERC or other applicable governmental
authorities shall serve as the Compliance Enforcement Authority.
1.2.4 For the ERO, a third-party monitor without vested interest in the outcome for the
ERO shall serve as the Compliance Enforcement Authority.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep all documentation and records from the
previous full calendar year unless directed by its Compliance Enforcement
Authority to retain specific evidence for a longer period of time as part of an
investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
1.5.1 None
2. Violation Severity Levels
Standard CIP0034 Cyber Security Security Management Controls
5
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1. MEDIUM N/A N/A The Responsible Entity has documented but not
implemented a cyber security policy.
The Responsible Entity has not documented nor implemented a
cyber security policy.
R1.1. LOWER N/A N/A N/A The Responsible Entity's cyber security policy does not address
all the requirements in Standards CIP-002-4 through CIP-009-4,
including provision for emergency situations.
R1.2.
(Retirement
approved by
NERC BOT
pending applicable
regulatory
approval.)
LOWER N/A N/A N/A The Responsible Entity's cyber security policy is not readily
available to all personnel who have access to, or are responsible
for, Critical Cyber Assets.
R1.3 LOWER N/A N/A The Responsible Entity's senior manager, assigned pursuant
to R2, annually reviewed but did not annually approve its
cyber security policy.
The Responsible Entity's senior manager, assigned pursuant to
R2, did not annually review nor approve its cyber security
policy.
R2. LOWER N/A N/A N/A The Responsible Entity has not assigned a single senior manager
with overall responsibility and
authority for leading and managing the entitys implementation
of, and adherence to, Standards CIP-002-4 through CIP-009-4.
R2.1. LOWER N/A N/A N/A The senior manager is not identified by name, title, and date of
designation.
R2.2. LOWER Changes to the senior
manager were
documented in greater
than 30 but less than 60
days of the effective
date.
Changes to the senior manager
were documented in 60 or more
but less than 90 days of the
effective date.
Changes to the senior manager were documented in 90 or
more but less than 120 days of the effective date.
Changes to the senior manager were documented in 120 or more
days of the effective date.
R2.3. LOWER N/A N/A The identification of a senior managers delegate does not
include at least one of the following; name, title, or date of
the designation,
OR
A senior managers delegate is not identified by name, title, and
date
of designation; the document delegating the authority does not
identify the authority being delegated; the document
delegating the authority is not approved by the senior manager;
Standard CIP0034 Cyber Security Security Management Controls
6
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
The document is not approved by the senior manager,
OR
Changes to the delegated authority are not documented
within thirty calendar days of the effective date.
AND
changes to the delegated authority are not documented within
thirty calendar days of the effective date.
R2.4 LOWER N/A N/A N/A The senior manager or delegate(s) did not authorize and
document any exceptions fromthe requirements of the cyber
security policy as required.
R3.
(Retirement
approved by
NERC BOT
pending applicable
regulatory
approval.)
LOWER N/A N/A In Instances where the Responsible Entity cannot conformto
its cyber security policy (pertaining to CIP 002 through CIP
009), exceptions were documented, but were not authorized
by the senior manager or delegate(s).
In Instances where the Responsible Entity cannot conformto its
cyber security policy (pertaining to CIP 002 through CIP 009),
exceptions were not documented, and were not authorized by the
senior manager or delegate(s).
R3.1.
(Retirement
approved by
NERC BOT
pending applicable
regulatory
approval.)
LOWER Exceptions to the
Responsible Entitys
cyber security policy
were documented in
more than 30 but less
than 60 days of being
approved by the senior
manager or delegate(s).
Exceptions to the Responsible
Entitys cyber security policy
were documented in 60 or more
but less than 90 days of being
approved by the senior manager
or delegate(s).
Exceptions to the Responsible Entitys cyber security policy
were documented in 90 or more but less than 120 days of
being approved by the senior manager or delegate(s).
Exceptions to the Responsible Entitys cyber security policy
were documented in 120 or more days of being approved by the
senior manager or delegate(s).
R3.2.
(Retirement
approved by
NERC BOT
pending applicable
regulatory
approval.)
LOWER N/A N/A The Responsible Entity has a documented exception to the
cyber
security policy (pertaining to CIP 002-4 through CIP 009-4)
but did not include either:
1) an explanation as to why the exception is necessary, or
2) any compensating measures.
The Responsible Entity has a documented exception to the cyber
security policy (pertaining to CIP 002-4 through CIP 009-4) but
did not include both:
1) an explanation as to why the exception is necessary, and
2) any compensating measures.
R3.3.
(Retirement
approved by
NERC BOT
pending applicable
regulatory
approval.)
LOWER N/A N/A Exceptions to the cyber security policy (pertaining to CIP
002-4 through CIP 009-4) were reviewed but not approved
annually by the senior manager or delegate(s) to ensure the
exceptions are still required and valid.
Exceptions to the cyber security policy (pertaining to CIP 002-4
through CIP 009-4) were not reviewed nor approved annually by
the senior manager or delegate(s) to ensure the exceptions are
still required and valid.
Standard CIP0034 Cyber Security Security Management Controls
7
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R4. MEDIUM N/A The Responsible Entity
implemented but did not
document a programto identify,
classify, and protect information
associated with Critical Cyber
Assets.
The Responsible Entity documented but did not implement a
programto identify, classify, and protect information
associated with Critical Cyber Assets.
The Responsible Entity did not implement nor document a
programto identify, classify, and protect information associated
with Critical Cyber Assets.
R4.1. MEDIUM N/A N/A The information protection programdoes not include one of
the minimuminformation types to be protected as detailed in
R4.1.
The information protection programdoes not include two or
more of the minimuminformation types to be protected as
detailed in R4.1.
R4.2.
(Retirement
approved by
NERC BOT
pending applicable
regulatory
approval.)
LOWER N/A N/A N/A The Responsible Entity did not classify the information to be
protected under this programbased on the sensitivity of the
Critical Cyber Asset information.
R4.3. LOWER N/A The Responsible Entity annually
assessed adherence to its Critical
Cyber Asset information
protection program, documented
the assessment results, which
included deficiencies identified
during the assessment but did
not implement a remediation
plan.
The Responsible Entity annually assessed adherence to its
Critical Cyber Asset information protection program, did not
document the assessment results, and did not implement a
remediation plan.
The Responsible Entity did not annually, assess adherence to its
Critical Cyber Asset information protection program, document
the assessment results, nor implement an action plan to
remediate deficiencies identified during the assessment.
R5. LOWER N/A The Responsible Entity
implemented but did not
document a programfor
managing access to protected
Critical Cyber Asset
information.
The Responsible Entity documented but did not implement a
programfor managing access to protected Critical Cyber
Asset information.
The Responsible Entity did not implement nor document a
programfor managing access to protected Critical Cyber Asset
information.
R5.1. LOWER N/A N/A The Responsible Entity maintained a list of designated
personnel for authorizing either logical or physical access
but not both.
The Responsible Entity did not maintain a list of designated
personnel who are responsible for authorizing logical or physical
access to protected information.
R5.1.1. LOWER N/A N/A The Responsible Entity did identify the personnel by name
and title but did not identify the information for which they
are responsible for authorizing access.
The Responsible Entity did not identify the personnel by name
and title nor the information for which they are responsible for
authorizing access.
Standard CIP0034 Cyber Security Security Management Controls
8
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R5.1.2. LOWER N/A N/A N/A The Responsible Entity did not verify at least annually the list of
personnel responsible for authorizing access to protected
information.
R5.2. LOWER N/A N/A N/A The Responsible Entity did not review at least annually the
access privileges to protected information to confirmthat access
privileges are correct and that they correspond with the
Responsible Entitys needs and appropriate personnel roles and
responsibilities.
R5.3. LOWER N/A N/A N/A The Responsible Entity did not assess and document at least
annually the processes for controlling access privileges to
protected information.
R6. LOWER The Responsible Entity
has established but not
documented a change
control process
OR
The Responsible Entity
has established but not
documented a
configuration
management process.
The Responsible Entity has
established but not documented
both a change control process
and configuration management
process.
The Responsible Entity has not established and documented
a change control process
OR
The Responsible Entity has not established and documented
a configuration management process.
The Responsible Entity has not established and documented a
change control process
AND
The Responsible Entity has not established and documented a
configuration management process.
E. Regional Variances
None identified.
Standard CIP0034 Cyber Security Security Management Controls
9
Version History
Version Date Action Change
Tracking
2 Modifications to clarify the requirements and to
bring the compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a responsible
entity.
Rewording of Effective Date.
Requirement R2 applies to all Responsible Entities,
including Responsible Entities which have no
Critical Cyber Assets.
Modified the personnel identification information
requirements in R5.1.1 to include name, title, and
the information for which they are responsible for
authorizing access (removed the business phone
information).
Changed compliance monitor to Compliance
Enforcement Authority.
3 Update version number from -2 to -3
3 12/16/09 Approved by the NERC Board of Trustees Update
4 Board approved
01/24/2011
Update version number from 3 to 4 Update to conform
to changes to CIP-
002-4 (Project
2008-06)
4 4/19/12 FERC Order issued approving CIP-003-4 (approval
becomes effective J une 25, 2012)
Added approved VRF/VSL table to section D.2.
3, 4 2/7/13 R1.2, R3, R3.1, R3.2, R3.3, and R4.2 and
associated elements approved by NERC Board of
Trustees for retirement as part of the Paragraph 81
project (Project 2013-02) pending applicable
regulatory approval.
CIP-003-5 Cyber Security Security Management Controls
Page 1 of 22
A. Introduction
1. Title: Cyber Security Security Management Controls
2. Number: CIP-003-5
3. Purpose: To specify consistent and sustainable security management controls that
establish responsibility and accountability to protect BES Cyber Systems against
compromise that could lead to misoperation or instability in the BES.
4. Applicability:
4.1. Functional Entities: For the purpose of the requirements contained herein, the
following list of functional entities will be collectively referred to as Responsible
Entities. For requirements in this standard where a specific functional entity or
subset of functional entities are the applicable entity or entities, the functional entity
or entities are specified explicitly.
4.1.1 Balancing Authority
4.1.2 Distribution Provider that owns one or more of the following Facilities, systems,
and equipment for the protection or restoration of the BES:
4.1.2.1 Each underfrequency Load shedding (UFLS) or undervoltage Load shedding
(UVLS) system that:
4.1.2.1.1 is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional Reliability Standard; and
4.1.2.1.2 performs automatic Load shedding under a common control system
owned by the Responsible Entity, without human operator initiation,
of 300 MW or more.
4.1.2.2 Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.1.2.3 Each Protection System (excluding UFLS and UVLS) that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERC or Regional Reliability Standard.
4.1.2.4 Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s) to be started.
4.1.3 Generator Operator
4.1.4 Generator Owner
4.1.5 Interchange Coordinator or Interchange Authority
4.1.6 Reliability Coordinator
CIP-003-5 Cyber Security Security Management Controls
Page 2 of 22
4.1.7 Transmission Operator
4.1.8 Transmission Owner
4.2. Facilities: For the purpose of the requirements contained herein, the following
Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above
are those to which these requirements are applicable. For requirements in this
standard where a specific type of Facilities, system, or equipment or subset of
Facilities, systems, and equipment are applicable, these are specified explicitly.
4.2.1 Distribution Provider: One or more of the following Facilities, systems and
equipment owned by the Distribution Provider for the protection or restoration
of the BES:
4.2.1.1 Each UFLS or UVLS System that:
4.2.1.1.1 is part of a Load shedding program that is subject to one or more
requirements in a NERC or Regional Reliability Standard; and
4.2.1.1.2 performs automatic Load shedding under a common control system
owned by the Responsible Entity, without human operator initiation,
of 300 MW or more.
4.2.1.2 Each Special Protection System or Remedial Action Scheme where the
Special Protection System or Remedial Action Scheme is subject to one or
more requirements in a NERC or Regional Reliability Standard.
4.2.1.3 Each Protection System (excluding UFLS and UVLS) that applies to
Transmission where the Protection System is subject to one or more
requirements in a NERC or Regional Reliability Standard.
4.2.1.4 Each Cranking Path and group of Elements meeting the initial switching
requirements from a Blackstart Resource up to and including the first
interconnection point of the starting station service of the next generation
unit(s) to be started.
4.2.2 Responsible Entities listed in 4.1 other than Distribution Providers:
All BES Facilities.
4.2.3 Exemptions: The following are exempt from Standard CIP-003-5:
4.2.3.1 Cyber Assets at Facilities regulated by the Canadian Nuclear Safety
Commission.
4.2.3.2 Cyber Assets associated with communication networks and data
communication links between discrete Electronic Security Perimeters.
4.2.3.3 The systems, structures, and components that are regulated by the Nuclear
Regulatory Commission under a cyber security plan pursuant to 10 C.F.R.
Section 73.54.
CIP-003-5 Cyber Security Security Management Controls
Page 3 of 22
4.2.3.4 For Distribution Providers, the systems and equipment that are not included
in section 4.2.1 above.
5. Effective Dates:
1. 24 Months Minimum CIP-003-5, except for CIP-003-5, Requirement R2, shall
become effective on the later of July 1, 2015, or the first calendar day of the
ninth calendar quarter after the effective date of the order providing applicable
regulatory approval. CIP-003-5, Requirement R2 shall become effective on the
later of July 1, 2016, or the first calendar day of the 13th calendar quarter after
the effective date of the order providing applicable regulatory approval.
2. In those jurisdictions where no regulatory approval is required, CIP-003-5, except
for CIP-003-5, Requirement R2, shall become effective on the first day of the
ninth calendar quarter following Board of Trustees approval, and CIP-003-5,
Requirement R2 shall become effective on the first day of the 13th calendar
quarter following Board of Trustees approval, or as otherwise made effective
pursuant to the laws applicable to such ERO governmental authorities.
6. Background:
Standard CIP-003-5 exists as part of a suite of CIP Standards related to cyber security.
CIP-002-5 requires the initial identification and categorization of BES Cyber Systems.
CIP-003-5, CIP-004-5, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP-009-5, CIP-010-
1, and CIP-011-1 require a minimum level of organizational, operational, and
procedural controls to mitigate risk to BES Cyber Systems. This suite of CIP Standards
is referred to as the Version 5 CIP Cyber Security Standards.
The SDT has incorporated within this standard a recognition that certain
requirements should not focus on individual instances of failure as a sole basis for
violating the standard. In particular, the SDT has incorporated an approach to
empower and enable the industry to identify, assess, and correct deficiencies in the
implementation of certain requirements. The intent is to change the basis of a
violation in those requirements so that they are not focused on whether there is a
deficiency, but on identifying, assessing, and correcting deficiencies. It is presented
in those requirements by modifying implement as follows:
Each Responsible Entity shall implement, in a manner that identifies, assesses,
and corrects deficiencies, . . .
The term documented processes refers to a set of required instructions specific to the
Responsible Entity and to achieve a specific outcome. This term does not imply any
naming or approval structure beyond what is stated in the requirements. An entity
should include as much as it believes necessary in their documented processes, but
they must address the applicable requirements. The documented processes
themselves are not required to include the . . . identifies, assesses, and corrects
deficiencies, . . ." elements described in the preceding paragraph, as those aspects
CIP-003-5 Cyber Security Security Management Controls
Page 4 of 22
are related to the manner of implementation of the documented processes and could
be accomplished through other controls or compliance management activities.
The terms program and plan are sometimes used in place of documented processes
where it makes sense and is commonly understood. For example, documented
processes describing a response are typically referred to as plans (i.e., incident
response plans and recovery plans). Likewise, a security plan can describe an
approach involving multiple procedures to address a broad subject matter.
Similarly, the term program may refer to the organizations overall implementation of
its policies, plans and procedures involving a subject matter. Examples in the
standards include the personnel risk assessment program and the personnel training
program. The full implementation of the CIP Cyber Security Standards could also be
referred to as a program. However, the terms program and plan do not imply any
additional requirements beyond what is stated in the standards.
Responsible Entities can implement common controls that meet requirements for
multiple high and medium impact BES Cyber Systems. For example, a single training
program could meet the requirements for training personnel across multiple BES
Cyber Systems.
Measures provide examples of evidence to show documentation and implementation
of the requirement. These measures serve to provide guidance to entities in
acceptable records of compliance and should not be viewed as an all-inclusive list.
Throughout the standards, unless otherwise stated, bulleted items in the
requirements and measures are items that are linked with an or, and numbered
items are items that are linked with an and.
Many references in the Applicability section use a threshold of 300 MW for UFLS and
UVLS. This particular threshold of 300 MW for UVLS and UFLS was provided in
Version 1 of the CIP Cyber Security Standards. The threshold remains at 300 MW
since it is specifically addressing UVLS and UFLS, which are last ditch efforts to save
the Bulk Electric System. A review of UFLS tolerances defined within regional
reliability standards for UFLS program requirements to date indicates that the
historical value of 300 MW represents an adequate and reasonable threshold value
for allowable UFLS operational tolerances.
CIP-003-5 Cyber Security Security Management Controls
Page 5 of 22
B. Requirements and Measures
R1. Each Responsible Entity, for its high impact and medium impact BES Cyber Systems,
shall review and obtain CIP Senior Manager approval at least once every 15 calendar
months for one or more documented cyber security policies that collectively address
the following topics: [Violation Risk Factor: Medium] [Time Horizon: Operations
Planning]
1.1 Personnel & training (CIP-004);
1.2 Electronic Security Perimeters (CIP-005) including Interactive Remote Access;
1.3 Physical security of BES Cyber Systems (CIP-006);
1.4 System security management (CIP-007);
1.5 Incident reporting and response planning (CIP-008);
1.6 Recovery plans for BES Cyber Systems (CIP-009);
1.7 Configuration change management and vulnerability assessments (CIP-010);
1.8 Information protection (CIP-011); and
1.9 Declaring and responding to CIP Exceptional Circumstances.
M1. Examples of evidence may include, but are not limited to, policy documents; revision
history, records of review, or workflow evidence from a document management
system that indicate review of each cyber security policy at least once every 15
calendar months; and documented approval by the CIP Senior Manager for each cyber
security policy.
R2. Each Responsible Entity for its assets identified in CIP-002-5, Requirement R1, Part
R1.3, shall implement, in a manner that identifies, assesses, and corrects deficiencies,
one or more documented cyber security policies that collectively address the following
topics, and review and obtain CIP Senior Manager approval for those policies at least
once every 15 calendar months: [Violation Risk Factor: Lower] [Time Horizon:
Operations Planning]
2.1 Cyber security awareness;
2.2 Physical security controls;
2.3 Electronic access controls for external routable protocol connections and Dial-up
Connectivity; and
2.4 Incident response to a Cyber Security Incident.
An inventory, list, or discrete identification of low impact BES Cyber Systems or their
BES Cyber Assets is not required.
CIP-003-5 Cyber Security Security Management Controls
Page 6 of 22
M2. Examples of evidence may include, but are not limited to, one or more documented
cyber security policies and evidence of processes, procedures, or plans that
demonstrate the implementation of the required topics; revision history, records of
review, or workflow evidence from a document management system that indicate
review of each cyber security policy at least once every 15 calendar months; and
documented approval by the CIP Senior Manager for each cyber security policy.
R3. Each Responsible Entity shall identify a CIP Senior Manager by name and document
any change within 30 calendar days of the change. [Violation Risk Factor: Medium]
[Time Horizon: Operations Planning]
M3. An example of evidence may include, but is not limited to, a dated and approved
document from a high level official designating the name of the individual identified
as the CIP Senior Manager.
R4. The Responsible Entity shall implement, in a manner that identifies, assesses, and
corrects deficiencies, a documented process to delegate authority, unless no
delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager
may delegate authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the delegate, the
specific actions delegated, and the date of the delegation; approved by the CIP Senior
Manager; and updated within 30 days of any change to the delegation. Delegation
changes do not need to be reinstated with a change to the delegator. [Violation Risk
Factor: Lower] [Time Horizon: Operations Planning]
M4. An example of evidence may include, but is not limited to, a dated document,
approved by the CIP Senior Manager, listing individuals (by name or title) who are
delegated the authority to approve or authorize specifically identified items.
C. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority:
The Regional Entity shall serve as the Compliance Enforcement Authority (CEA)
unless the applicable entity is owned, operated, or controlled by the Regional
Entity. In such cases the ERO or a Regional Entity approved by FERC or other
applicable governmental authority shall serve as the CEA.
1.2. Evidence Retention:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time
since the last audit, the CEA may ask an entity to provide other evidence to show
that it was compliant for the full time period since the last audit.
CIP-003-5 Cyber Security Security Management Controls
Page 7 of 22
The Responsible Entity shall keep data or evidence to show compliance as
identified below unless directed by its CEA to retain specific evidence for a
longer period of time as part of an investigation:
Each Responsible Entity shall retain evidence of each requirement in this
standard for three calendar years.
If a Responsible Entity is found non-compliant, it shall keep information
related to the non-compliance until mitigation is complete and approved or
for the time specified above, whichever is longer.
The CEA shall keep the last audit records and all requested and submitted
subsequent audit records.
1.3. Compliance Monitoring and Assessment Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
1.4. Additional Compliance Information:
None
CIP-003-5 Cyber Security Security Management Controls
Page 8 of 22
2. Table of Compliance Elements
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
R1 Operations
Planning
Medium The Responsible
Entity documented
and implemented
one or more cyber
security policies for
its high impact and
medium impact BES
Cyber Systems, but
did not address one
of the nine topics
required by R1. (R1)
OR
The Responsible
Entity did not
complete its review
of the one or more
documented cyber
security policies for
its high impact and
medium impact BES
Cyber Systems as
required by R1
within 15 calendar
months but did
complete this review
The Responsible
Entity documented
and implemented
one or more cyber
security policies for
its high impact and
medium impact BES
Cyber Systems, but
did not address two
of the nine topics
required by R1. (R1)
OR
The Responsible
Entity did not
complete its review
of the one or more
documented cyber
security policies for
its high impact and
medium impact BES
Cyber Systems as
required by R1
within 16 calendar
months but did
complete this review
The Responsible Entity
documented and
implemented one or
more cyber security
policies for its high
impact and medium
impact BES Cyber
Systems, but did not
address three of the nine
topics required by R1.
(R1)
OR
The Responsible Entity
did not complete its
review of the one or
more documented cyber
security policies for its
high impact and medium
impact BES Cyber
Systems as required by
R1 within 17 calendar
months but did
complete this review in
less than or equal to 18
calendar months of the
The Responsible
Entity documented
and implemented
one or more cyber
security policies for
its high impact and
medium impact BES
Cyber Systems, but
did not address four
or more of the nine
topics required by
R1. (R1)
OR
The Responsible
Entity did not have
any documented
cyber security
policies for its high
impact and medium
impact BES Cyber
Systems as required
by R1. (R1)
OR
The Responsible
CIP-003-5 Cyber Security Security Management Controls
Page 9 of 22
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
in less than or equal
to 16 calendar
months of the
previous review. (R1)
OR
The Responsible
Entity did not
complete its
approval of the one
or more documented
cyber security
policies for its high
impact and medium
impact BES Cyber
Systems as required
by R1 by the CIP
Senior Manager or
delegate according
to Requirement R1
within 15 calendar
months but did
complete this
approval in less than
or equal to 16
calendar months of
the previous
in less than or equal
to 17 calendar
months of the
previous review. (R1)
OR
The Responsible
Entity did not
complete its
approval of the one
or more
documented cyber
security policies for
its high impact and
medium impact BES
Cyber Systems as
required by R1 by
the CIP Senior
Manager or delegate
according to
Requirement R1
within 16 calendar
months but did
complete this
approval in less than
or equal to 17
calendar months of
the previous
previous review. (R1)
OR
The Responsible Entity
did not complete its
approval of the one or
more documented cyber
security policies for its
high impact and medium
impact BES Cyber
Systems as required by
R1 by the CIP Senior
Manager or delegate
according to
Requirement R1 within
17 calendar months but
did complete this
approval in less than or
equal to 18 calendar
months of the previous
approval. (R1)
Entity did not
complete its review
of the one or more
documented cyber
security policies as
required by R1
within 18 calendar
months of the
previous review. (R1)
OR
The Responsible
Entity did not
complete its
approval of the one
or more
documented cyber
security policies for
its high impact and
medium impact BES
Cyber Systems as
required by R1 by
the CIP Senior
Manager or delegate
according to
Requirement R1
within 18 calendar
months of the
CIP-003-5 Cyber Security Security Management Controls
Page 10 of 22
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
approval. (R1) approval. (R1) previous approval.
(R1)
R2 Operations
Planning
Lower The Responsible
Entity documented
and implemented
one or more cyber
security policies for
assets with a low
impact rating that
address only three of
the topics as
required by R2 and
has identified
deficiencies but did
not assess or correct
the deficiencies. (R2)
OR
The Responsible
Entity documented
and implemented
one or more cyber
security policies for
assets with a low
impact rating that
address only three of
the topics as
The Responsible
Entity documented
and implemented
one or more cyber
security policies for
assets with a low
impact rating that
address only two of
the topics as
required by R2 and
has identified
deficiencies but did
not assess or correct
the deficiencies. (R2)
OR
The Responsible
Entity documented
and implemented
one or more cyber
security policies for
assets with a low
impact rating that
address only two of
the topics as
The Responsible Entity
documented and
implemented one or
more cyber security
policies for assets with a
low impact rating that
address only one of the
topics as required by R2
and has identified
deficiencies but did not
assess or correct the
deficiencies. (R2)
OR
The Responsible Entity
documented and
implemented one or
more cyber security
policies for assets with a
low impact rating that
address only one of the
topics as required by R2
but did not identify,
assess, or correct the
deficiencies.
The Responsible
Entity did not
document or
implement any cyber
security policies for
assets with a low
impact rating that
address the topics as
required by R2. (R2)
OR
The Responsible
Entity did not
complete its review
of the one or more
documented cyber
security policies for
assets with a low
impact rating as
required by R2
within 18 calendar
months of the
previous review. (R2)
OR
The Responsible
CIP-003-5 Cyber Security Security Management Controls
Page 11 of 22
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
required by R2 but
did not identify,
assess, or correct the
deficiencies.
OR
The Responsible
Entity did not
complete its review
of the one or more
documented cyber
security policies for
assets with a low
impact rating as
required by R2
within 15 calendar
months but did
complete this review
in less than or equal
to 16 calendar
months of the
previous review. (R2)
OR
The Responsible
Entity did not
complete its
approval of the one
required by R2 but
did not identify,
assess, or correct the
deficiencies.
OR
The Responsible
Entity did not
complete its review
of the one or more
documented cyber
security policies for
assets with a low
impact rating as
required by R2
within 16 calendar
months but did
complete this review
in less than or equal
to 17 calendar
months of the
previous review. (R2)
OR
The Responsible
Entity did not
complete its
approval of the one
OR
The Responsible Entity
did not complete its
review of the one or
more documented cyber
security policies for
assets with a low impact
rating as required by R2
within 17 calendar
months but did
complete this review in
less than or equal to 18
calendar months of the
previous review. (R2)
OR
The Responsible Entity
did not complete its
approval of the one or
more documented cyber
security policies for
assets with a low impact
rating as required by R2
by the CIP Senior
Manager according to
Requirement R2 within
17 calendar months but
Entity did not
complete its
approval of the one
or more
documented cyber
security policies for
assets with a low
impact rating as
required by R2 by
the CIP Senior
Manager according
to Requirement R2
within 18 calendar
months of the
previous approval.
(R2)
CIP-003-5 Cyber Security Security Management Controls
Page 12 of 22
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
or more documented
cyber security
policies for assets
with a low impact
rating as required by
R2 by the CIP Senior
Manager according
to Requirement R2
within 15 calendar
months but did
complete this
approval in less than
or equal to 16
calendar months of
the previous
approval. (R2)
or more
documented cyber
security policies for
assets with a low
impact rating as
required by R2 by
the CIP Senior
Manager according
to Requirement R2
within 16 calendar
months but did
complete this
approval in less than
or equal to 17
calendar months of
the previous
approval. (R2)
did complete this
approval in less than or
equal to 18 calendar
months of the previous
approval. (R2)
R3 Operations
Planning
Medium The Responsible
Entity has identified
by name a CIP Senior
Manager, but did not
document changes
to the CIP Senior
Manager within 30
calendar days but did
document this
change in less than
The Responsible
Entity has identified
by name a CIP Senior
Manager, but did
not document
changes to the CIP
Senior Manager
within 40 calendar
days but did
document this
The Responsible Entity
has identified by name a
CIP Senior Manager, but
did not document
changes to the CIP
Senior Manager within
50 calendar days but did
document this change in
less than 60 calendar
The Responsible
Entity has not
identified, by name,
a CIP Senior
Manager.
OR
The Responsible
Entity has identified
by name a CIP Senior
CIP-003-5 Cyber Security Security Management Controls
Page 13 of 22
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
40 calendar days of
the change. (R3)
change in less than
50 calendar days of
the change. (R3)
days of the change. (R3) Manager, but did
not document
changes to the CIP
Senior Manager
within 60 calendar
days of the change.
(R3)
R4 Operations
Planning
Lower The Responsible
Entity has identified
a delegate by name,
title, date of
delegation, and
specific actions
delegated, but did
not document
changes to the
delegate within 30
calendar days but did
document this
change in less than
40 calendar days of
the change. (R4)
The Responsible
Entity has identified
a delegate by name,
title, date of
delegation, and
specific actions
delegated, but did
not document
changes to the
delegate within 40
calendar days but
did document this
change in less than
50 calendar days of
the change. (R4)
The Responsible Entity
has used delegated
authority for actions
where allowed by the
CIP Standards, has a
process to delegate
actions from the CIP
Senior Manager, and has
Identified deficiencies
but did not assess or
correct the
deficiencies.(R4)
OR
The Responsible Entity
has used delegated
authority for actions
where allowed by the
CIP Standards, has a
process to delegate
The Responsible
Entity has used
delegated authority
for actions where
allowed by the CIP
Standards, but does
not have a process
to delegate actions
from the CIP Senior
Manager. (R4)
OR
The Responsible
Entity has identified
a delegate by name,
title, date of
delegation, and
specific actions
delegated, but did
not document
CIP-003-5 Cyber Security Security Management Controls
Page 14 of 22
R # Time
Horizon
VRF Violation Severity Levels (CIP-003-5)
Lower VSL Moderate VSL High VSL Severe VSL
actions from the CIP
Senior Manager, but did
not identify, assess, or
correct the
deficiencies.(R4)
OR
The Responsible Entity
has identified a delegate
by name, title, date of
delegation, and specific
actions delegated, but
did not document
changes to the delegate
within 50 calendar days
but did document this
change in less than 60
calendar days of the
change. (R4)
changes to the
delegate within 60
calendar days of the
change. (R4)
CIP-003-5 Cyber Security Security Management Controls
Page 15 of 22
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
Guidelines and Technical Basis
Page 16 of 22
Guidelines and Technical Basis
Section 4 Scope of Applicability of the CIP Cyber Security Standards
Section 4. Applicability of the standards provides important information for Responsible
Entities to determine the scope of the applicability of the CIP Cyber Security Requirements.
Section 4.1. Functional Entities is a list of NERC functional entities to which the standard
applies. If the entity is registered as one or more of the functional entities listed in Section 4.1,
then the NERC CIP Cyber Security Standards apply. Note that there is a qualification in Section
4.1 that restricts the applicability in the case of Distribution Providers to only those that own
certain types of systems and equipment listed in 4.2.
Section 4.2. Facilities defines the scope of the Facilities, systems, and equipment owned by
the Responsible Entity, as qualified in Section 4.1, that is subject to the requirements of the
standard. In addition to the set of BES Facilities, Control Centers, and other systems and
equipment, the list includes the set of systems and equipment owned by Distribution Providers.
While the NERC Glossary term Facilities already includes the BES characteristic, the additional
use of the term BES here is meant to reinforce the scope of applicability of these Facilities
where it is used, especially in this applicability scoping section. This in effect sets the scope of
Facilities, systems, and equipment that is subject to the standards.
Requirement R1:
The number of policies and their specific language are guided by a Responsible Entity's
management structure and operating conditions. Policies might be included as part of a
general information security program for the entire organization, or as components of specific
programs. The cyber security policy must cover in sufficient detail the nine topical areas
required by CIP-003-5, Requirement R1. The Responsible Entity has the flexibility to develop a
single comprehensive cyber security policy covering these topics, or it may choose to develop a
single high-level umbrella policy and provide additional policy detail in lower level documents in
its documentation hierarchy. In the case of a high-level umbrella policy, the Responsible Entity
would be expected to provide the high-level policy as well as the additional documentation in
order to demonstrate compliance with CIP-003-5, Requirement R1. Implementation of the
cyber security policy is not specifically included in CIP-003-5, Requirement R1 as it is envisioned
that the implementation of this policy is evidenced through successful implementation of CIP-
004 through CIP-011. However, Responsible Entities are encouraged not to limit the scope of
their cyber security policies to only those requirements from CIP-004 through CIP-011, but
rather to put together a holistic cyber security policy appropriate to its organization. The
assessment through the Compliance Monitoring and Enforcement Program of policy items that
extend beyond the scope of CIP-004 through CIP-011 should not be considered candidates for
potential violations. The Responsible Entity should consider the following for each of the
required topics in its cyber security policy:
1.1 Personnel & training (CIP-004)
Guidelines and Technical Basis
Page 17 of 22
Organization position on acceptable background investigations
Identification of possible disciplinary action for violating this policy
Account management
1.2 Electronic Security Perimeters (CIP-005) including Interactive Remote Access
Organization stance on use of wireless networks
Identification of acceptable authentication methods
Identification of trusted and untrusted resources
Monitoring and logging of ingress and egress at Electronic Access Points
Maintaining up-to-date anti-malware software before initiating Interactive Remote
Access
Maintaining up-to-date patch levels for operating systems and applications used to
initiate Interactive Remote Access
Disabling VPN split-tunneling or dual-homed workstations before initiating
Interactive Remote Access
For vendors, contractors, or consultants: include language in contracts that requires
adherence to the Responsible Entitys Interactive Remote Access controls
1.3 Physical security of BES Cyber Systems (CIP-006)
Strategy for protecting Cyber Assets from unauthorized physical access
Acceptable physical access control methods
Monitoring and logging of physical ingress
1.4 System security management (CIP-007)
Strategies for system hardening
Acceptable methods of authentication and access control
Password policies including length, complexity, enforcement, prevention of brute force
attempts
Monitoring and logging of BES Cyber Systems
1.5 Incident reporting and response planning (CIP-008)
Recognition of Cyber Security Incidents
Appropriate notifications upon discovery of an incident
Obligations to report Cyber Security Incidents
1.6 Recovery plans for BES Cyber Systems (CIP-009)
Availability of spare components
Guidelines and Technical Basis
Page 18 of 22
Availability of system backups
1.7 Configuration change management and vulnerability assessments (CIP-010)
Initiation of change requests
Approval of changes
Break-fix processes
1.8 Information protection (CIP-011)
Information access control methods
Notification of unauthorized information disclosure
Information access on a need-to-know basis
1.9 Declaring and responding to CIP Exceptional Circumstances
Processes to invoke special procedures in the event of a CIP Exceptional Circumstance
Processes to allow for exceptions to policy that do not violate CIP requirements
The Standard Drafting Team (SDT) has removed requirements relating to exceptions to a
Responsible Entitys security policies since it is a general management issue that is not within
the scope of a reliability requirement. The SDT considers it to be an internal policy requirement
and not a reliability requirement. However, the SDT encourages Responsible Entities to
continue this practice as a component of its cyber security policy.
In this and all subsequent required approvals in the NERC CIP Standards, the Responsible Entity
may elect to use hardcopy or electronic approvals to the extent that there is sufficient evidence
to ensure the authenticity of the approving party.
Requirement R2:
As with Requirement R1, the number of policies and their specific language would be guided by
a Responsible Entity's management structure and operating conditions. Policies might be
included as part of a general information security program for the entire organization or as
components of specific programs. The cyber security policy must cover in sufficient detail the
four topical areas required by CIP-003-5, Requirement R2. The Responsible Entity has flexibility
to develop a single comprehensive cyber security policy covering these topics, or it may choose
to develop a single high-level umbrella policy and provide additional policy detail in lower level
documents in its documentation hierarchy. In the case of a high-level umbrella policy, the
Responsible Entity would be expected to provide the high-level policy as well as the additional
documentation in order to demonstrate compliance with CIP-003-5, Requirement R2. The
intent of the requirement is to outline a set of basic protections that all low impact BES Cyber
Systems should receive without requiring a significant administrative and compliance overhead.
The SDT intends that demonstration of this requirement can be reasonably accomplished
through providing evidence of related processes, procedures, or plans. While the audit staff
may choose to review an example low impact BES Cyber System, the SDT believes strongly that
the current method (as of this writing) of reviewing a statistical sample of systems is not
Guidelines and Technical Basis
Page 19 of 22
necessary. The SDT also notes that in topic 2.3, the SDT uses the term electronic access
control in the general sense, i.e., to control access, and not in the specific technical sense
requiring authentication, authorization, and auditing.
Requirement R3:
The intent of CIP-003-5, Requirement R3 is effectively unchanged since prior versions of the
standard. The specific description of the CIP Senior Manager has now been included as a
defined term rather than clarified in the Standard itself to prevent any unnecessary cross-
reference to this standard. It is expected that this CIP Senior Manager play a key role in
ensuring proper strategic planning, executive/board-level awareness, and overall program
governance.
Requirement R4:
As indicated in the rationale for CIP-003-5, Requirement R4, this requirement is intended to
demonstrate a clear line of authority and ownership for security matters. The intent of the SDT
was not to impose any particular organizational structure, but, rather, the Responsible Entity
should have significant flexibility to adapt this requirement to their existing organizational
structure. A Responsible Entity may satisfy this requirement through a single delegation
document or through multiple delegation documents. The Responsible Entity can make use of
the delegation of the delegation authority itself to increase the flexibility in how this applies to
its organization. In such a case, delegations may exist in numerous documentation records as
long as the collection of these documentation records provides a clear line of authority back to
the CIP Senior Manager. In addition, the CIP Senior Manager could also choose not to delegate
any authority and meet this requirement without such delegation documentation.
The Responsible Entity must keep its documentation of the CIP Senior Manager and any
delegations up to date. This is to ensure that individuals do not assume any undocumented
authority. However, delegations do not have to be re-instated if the individual who delegated
the task changes roles or is replaced. For instance, assume that John Doe is named the CIP
Senior Manager and he delegates a specific task to the Substation Maintenance Manager. If
John Doe is replaced as the CIP Senior Manager, the CIP Senior Manager documentation must
be updated within the specified timeframe, but the existing delegation to the Substation
Maintenance Manager remains in effect as approved by the previous CIP Senior Manager, John
Doe.
Guidelines and Technical Basis
Page 20 of 22
Rationale:
During development of this standard, text boxes were embedded within the standard to explain
the rationale for various parts of the standard. Upon BOT approval, the text from the rationale
text boxes was moved to this section.
Rationale for R1:
One or more security policies enable effective implementation of the standard's requirements.
The purpose of policies is to provide a management and governance foundation for all
requirements that apply to personnel who have authorized electronic access and/or authorized
unescorted physical access to its BES Cyber Systems. The Responsible Entity can demonstrate
through its policies that its management supports the accountability and responsibility
necessary for effective implementation of the standard's requirements.
Annual review and approval of the cyber security policy ensures that the policy is kept up-to-
date and periodically reaffirms managements commitment to the protection of its BES Cyber
Systems.
Rationale for R2:
One or more security policies enable effective implementation of the standard's requirements.
The purpose of policies is to provide a management and governance foundation for all
requirements that apply to personnel who have authorized electronic access and/or authorized
unescorted physical access to its BES Cyber Systems. The Responsible Entity can demonstrate
through its policies that its management supports the accountability and responsibility
necessary for effective implementation of the standard's requirements.
The language in Requirement R2, Part 2.3 . . . for external routable protocol connections and
Dial-up Connectivity . . . was included to acknowledge the support given in FERC Order 761,
paragraph 87, for electronic security perimeter protections of some form to be applied to all
BES Cyber Systems, regardless of impact. Part 2.3 uses the phrase external routable protocol
connections instead of the defined term External Routable Connectivity, because the latter
term has very specific connotations relating to Electronic Security Perimeters and high and
medium impact BES Cyber Systems. Using the glossary term External Routable Connectivity
in the context of Requirement R2 would not be appropriate because Requirement R2 is limited
in scope to low impact BES Cyber Systems.
Review and approval of the cyber security policy at least every 15 calendar months ensures that
the policy is kept up-to-date and periodically reaffirms managements commitment to the
protection of its BES Cyber Systems.
Guidelines and Technical Basis
Page 21 of 22
Rationale for R3:
The identification and documentation of the single CIP Senior Manager ensures that there is
clear authority and ownership for the CIP program within an organization, as called for in
Blackout Report Recommendation 43. The language that identifies CIP Senior Manager
responsibilities is included in the Glossary of Terms used in NERC Reliability Standards so that it
may be used across the body of CIP standards without an explicit cross-reference.
FERC Order No. 706, Paragraph 296, requests consideration of whether the single senior
manager should be a corporate officer or equivalent. As implicated through the defined term,
the senior manager has the overall authority and responsibility for leading and managing
implementation of the requirements within this set of standards which ensures that the senior
manager is of sufficient position in the Responsible Entity to ensure that cyber security receives
the prominence that is necessary. In addition, given the range of business models for
responsible entities, from municipal, cooperative, federal agencies, investor owned utilities,
privately owned utilities, and everything in between, the SDT believes that requiring the senior
manager to be a corporate officer or equivalent would be extremely difficult to interpret and
enforce on a consistent basis.
Rationale for R4:
The intent of the requirement is to ensure clear accountability within an organization for
certain security matters. It also ensures that delegations are kept up-to-date and that
individuals do not assume undocumented authority.
In FERC Order No. 706, Paragraphs 379 and 381, the Commission notes that Recommendation
43 of the 2003 Blackout Report calls for clear lines of authority and ownership for security
matters. With this in mind, the Standard Drafting Team has sought to provide clarity in the
requirement for delegations so that this line of authority is clear and apparent from the
documented delegations.
Guidelines and Technical Basis
Page 22 of 22
Version History
Version Date Action Change Tracking
1 1/16/06
R3.2 Change Control Center to
control center.
3/24/06
2 9/30/09 Modifications to clarify the
requirements and to bring the
compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business
judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authority.
3 12/16/09 Updated version number from -2 to -3
Approved by the NERC Board of
Trustees.
3 3/31/10 Approved by FERC.
4 1/24/11 Approved by the NERC Board of
Trustees.
Update to
conform to
changes to CIP-
002-4 (Project
2008-06)
5 11/26/12 Adopted by the NERC Board of
Trustees.
Modified to
coordinate with
other CIP
standards and to
revise format to
use RBS
Template.
Standard CIP0043a Cyber Security Pers onnel and Training
Page 1 of 7
A. Introduction
1. Title: Cyber Security Personnel & Training
2. Number: CIP-004-3a
3. Purpose: Standard CIP-004-3 requires that personnel having authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including contractors and
service vendors, have an appropriate level of personnel risk assessment, training, and security
awareness. Standard CIP-004-3 should be read as part of a group of standards numbered
Standards CIP-002-3 through CIP-009-3.
4. Applicability:
4.1. Within the text of Standard CIP-004-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-004-3:
4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 Responsible Entities that, in compliance with Standard CIP-002-3, identify that
they have no Critical Cyber Assets.
5. Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required).
B. Requirements
R1. Awareness The Responsible Entity shall establish, document, implement, and maintain a
security awareness program to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound
security practices. The program shall include security awareness reinforcement on at least a
quarterly basis using mechanisms such as:
Direct communications (e.g., emails, memos, computer based training, etc.);
Standard CIP0043a Cyber Security Pers onnel and Training
Page 2 of 7
Indirect communications (e.g., posters, intranet, brochures, etc.);
Management support and reinforcement (e.g., presentations, meetings, etc.).
R2. Training The Responsible Entity shall establish, document, implement, and maintain an
annual cyber security training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber security training program shall
be reviewed annually, at a minimum, and shall be updated whenever necessary.
R2.1. This program will ensure that all personnel having such access to Critical Cyber Assets,
including contractors and service vendors, are trained prior to their being granted such
access except in specified circumstances such as an emergency.
R2.2. Training shall cover the policies, access controls, and procedures as developed for the
Critical Cyber Assets covered by CIP-004-3, and include, at a minimum, the following
required items appropriate to personnel roles and responsibilities:
R2.2.1. The proper use of Critical Cyber Assets;
R2.2.2. Physical and electronic access controls to Critical Cyber Assets;
R2.2.3. The proper handling of Critical Cyber Asset information; and,
R2.2.4. Action plans and procedures to recover or re-establish Critical Cyber Assets
and access thereto following a Cyber Security Incident.
R2.3. The Responsible Entity shall maintain documentation that training is conducted at least
annually, including the date the training was completed and attendance records.
R3. Personnel Risk Assessment The Responsible Entity shall have a documented personnel risk
assessment program, in accordance with federal, state, provincial, and local laws, and subject to
existing collective bargaining unit agreements, for personnel having authorized cyber or
authorized unescorted physical access to Critical Cyber Assets. A personnel risk assessment
shall be conducted pursuant to that program prior to such personnel being granted such access
except in specified circumstances such as an emergency.
The personnel risk assessment program shall at a minimum include:
R3.1. The Responsible Entity shall ensure that each assessment conducted include, at least,
identity verification (e.g., Social Security Number verification in the U.S.) and seven-
year criminal check. The Responsible Entity may conduct more detailed reviews, as
permitted by law and subject to existing collective bargaining unit agreements,
depending upon the criticality of the position.
R3.2. The Responsible Entity shall update each personnel risk assessment at least every seven
years after the initial personnel risk assessment or for cause.
R3.3. The Responsible Entity shall document the results of personnel risk assessments of its
personnel having authorized cyber or authorized unescorted physical access to Critical
Cyber Assets, and that personnel risk assessments of contractor and service vendor
personnel with such access are conducted pursuant to Standard CIP-004-3.
R4. Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including their specific
electronic and physical access rights to Critical Cyber Assets.
R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to
Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any
change of personnel with such access to Critical Cyber Assets, or any change in the
Standard CIP0043a Cyber Security Pers onnel and Training
Page 3 of 7
access rights of such personnel. The Responsible Entity shall ensure access list(s) for
contractors and service vendors are properly maintained.
R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24
hours for personnel terminated for cause and within seven calendar days for personnel
who no longer require such access to Critical Cyber Assets.
C. Measures
M1. The Responsible Entity shall make available documentation of its security awareness and
reinforcement program as specified in Requirement R1.
M2. The Responsible Entity shall make available documentation of its cyber security training
program, review, and records as specified in Requirement R2.
M3. The Responsible Entity shall make available documentation of the personnel risk assessment
program and that personnel risk assessments have been applied to all personnel who have
authorized cyber or authorized unescorted physical access to Critical Cyber Assets, as specified
in Requirement R3.
M4. The Responsible Entity shall make available documentation of the list(s), list review and
update, and access revocation as needed as specified in Requirement R4.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2 ERO for Regional Entity.
1.1.3 Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not Applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep personnel risk assessment documents in
accordance with federal, state, provincial, and local laws.
1.4.2 The Responsible Entity shall keep all other documentation required by Standard
CIP-004-3 from the previous full calendar year unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as
part of an investigation.
Standard CIP0043a Cyber Security Pers onnel and Training
Page 4 of 7
1.4.3 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
2. Violation Severity Levels (To be developed later.)
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
1 01/16/06 D.2.2.4 Insert the phrase for cause as
intended. One instance of personnel termination
for cause
03/24/06
1 06/01/06 D.2.1.4 Change access control rights to
access rights.
06/05/06
2 Modifications to clarify the requirements and to
bring the compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a responsible
entity.
Rewording of Effective Date.
Reference to emergency situations.
Modification to R1 for the Responsible Entity to
establish, document, implement, and maintain the
awareness program.
Modification to R2 for the Responsible Entity to
establish, document, implement, and maintain the
training program; also stating the requirements for
the cyber security training program.
Modification to R3 Personnel Risk Assessment to
clarify that it pertains to personnel having
authorized cyber or authorized unescorted physical
access to Critical Cyber Assets.
Removal of 90 day window to complete training
and 30 day window to complete personnel risk
assessments.
Changed compliance monitor to Compliance
Enforcement Authority.
3 Update version number from -2 to -3
3 12/16/09 Approved by NERC Board of Trustees Update
Standard CIP0043a Cyber Security Pers onnel and Training
Page 5 of 7
3a 5/24/12 Interpretation of R2, R3, and R4 adopted by NERC
Board of Trustees
3a 12/13/12 Interpretation of R2, R3, and R4 approved by
FERC in a Letter Order issued December 12, 2012
Standard CIP0043a Cyber Security Pers onnel and Training
Page 6 of 7
Appendix 1
Requirement Number and Text of Requirement
R2. Training The Responsible Entity shall establish, maintain, and document an annual cyber
security training program for personnel having authorized cyber or authorized unescorted physical
access to Critical Cyber Assets, and review the program annually and update as necessary.
R2.1. This program will ensure that all personnel having such access to Critical Cyber Assets,
including contractors and service vendors, are trained within ninety calendar days of such
authorization.
R3. Personnel Risk Assessment The Responsible Entity shall have a documented personnel risk
assessment program, in accordance with federal, state, provincial, and local laws, and subject to
existing collective bargaining unit agreements, for personnel having authorized cyber or authorized
unescorted physical access. A personnel risk assessment shall be conducted pursuant to that program
within thirty days of such personnel being granted such access. Such program shall at a minimum
include:
R4. Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and
physical access rights to Critical Cyber Assets.
Question 1
The WECC RC seeks clarification on the definition of authorized access as applied to temporary
support from vendors.
Do the training, risk assessment and access requirements specified in R2, R3, and R4 apply to vendors
who are supervised? Assuming that a supervised vendor is exempt from CIP-004-1, Requirements R2,
R3 and R4, would temporary, indirect and monitored access such as that provided through remote
terminal sessions (WebEx, etc.) or escorted physical access be considered supervision?
Response to Question 1
WECC asks three questions, which are listed below. The answer to each question follows the question.
1. WECC seeks clarification on the definition of authorized access as applied to temporary
support from vendors.
Answer: While the Glossary of Terms used in NERC Reliability Standards does not have a definition
of authorized access, CIP-004-1, Requirement R4 requires that an entity shall maintain list(s) of
personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets,
including their specific electronic and physical access rights to Critical Cyber Assets. For purposes
of CIP-004-1, an individual has authorized access if he or she is on that list, and, as a result, is
subject to Requirements R2, R3, and R4.
2. Do the training, risk assessment, and access requirements specified in R2, R3, and R4 apply to
vendors who are supervised?
Standard CIP0043a Cyber Security Pers onnel and Training
Page 7 of 7
Answer: As written, all cyber access to Critical Cyber Assets must be authorized, and all authorized
access must comply with Requirements R2, R3, and R4.
1
Through the use of the qualifier
unescorted with regard to physical access, CIP-004-1, Requirement R2, implies the concept of
supervision for physical access when an individual is not authorized, and CIP-006 R1.6 also allows
for escorted unauthorized physical access via a visitor program. There is no similar qualifier or
reference in the requirement that mentions escorted or otherwise implies supervision for cyber
access within CIP-004. Furthermore, there is no mention of any escorted unauthorized cyber access
within CIP-007 similar to the visitor program in CIP-006 R1.6. Compared to physical access, the
concept or any words relating to escorting or supervision in the requirement language is absent
relative to cyber access.
3. Assuming that a supervised vendor is exempt from CIP-004-1, Requirements R2, R3, and R4,
would temporary, indirect and monitored access such as that provided through remote terminal
sessions (WebEx, etc.) or escorted physical access be considered supervision?
Answer: To the extent a vendor is escorted to physically access a Critical Cyber Asset for purposes
other than direct cyber access (e.g., replacing parts on the Critical Cyber Asset), supervision is
acceptable (within the context of escorted physical access). If the escorted physical access includes
bringing a vendor or other individual to the Critical Cyber Asset to direct someone with authorized
access in performing cyber access, such supervision is also acceptable within the language of the
requirement, since the vendor or other individual is merely present while an authorized individual
conducts the actual cyber access. However, the requirement language does not support the notion of
physically escorting a vendor or other individual to a Critical Cyber Asset for the vendor or other
individual to perform cyber access, even if supervised. Even if it is possible to provide supervised
cyber access to Critical Cyber Assets, there is no basis or contemplation of escorted cyber access
whatsoever in CIP-004, whether remotely or in person.
1
The drafting team also notes that the FAQ referenced in the request for interpretation is not the same as an
approved Reliability Standard and is not mandatory and enforceable. The FAQ was not developed or approved
through the same standards development process, and cannot be used to substitute for the language in the standard
itself. The drafting team also notes that the concept of unsupervised trusted access in the FAQ applies only to
Version 1which contained a 30 and 90 day provision for training and personnel risk assessments for personnel
with authorized cyber access and authorized unescorted physical accessand it was not modified to conform to the
changes made in subsequent versions.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 1 of 11
A. Introduction
1. Title: Cyber Security Personnel & Training
2. Number: CIP-004-4a
3. Purpose: Standard CIP-004-4 requires that personnel having authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including contractors and
service vendors, have an appropriate level of personnel risk assessment, training, and security
awareness. Standard CIP-004-4 should be read as part of a group of standards numbered
Standards CIP-002-4 through CIP-009-4.
4. Applicability:
4.1. Within the text of Standard CIP-004-4, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-004-4:
4.2.1 Facilities regulated by the Canadian Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 In nuclear plants, the systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan pursuant to 10
C.F. R. Section 73.54
4.2.4 Responsible Entities that, in compliance with Standard CIP-002-4, identify that
they have no Critical Cyber Assets.
5. Effective Date: The first day of the eighth calendar quarter after applicable regulatory
approvals have been received (or the Reliability Standard otherwise becomes effective the first
day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory
approval is not required).
B. Requirements
R1. Awareness The Responsible Entity shall establish, document, implement, and maintain a
security awareness program to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound
Standard CIP0044a Cyber Security Pers onnel and Training
Page 2 of 11
security practices. The program shall include security awareness reinforcement on at least a
quarterly basis using mechanisms such as:
Direct communications (e.g., emails, memos, computer based training, etc.);
Indirect communications (e.g., posters, intranet, brochures, etc.);
Management support and reinforcement (e.g., presentations, meetings, etc.).
R2. Training The Responsible Entity shall establish, document, implement, and maintain an
annual cyber security training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber security training program shall
be reviewed annually, at a minimum, and shall be updated whenever necessary.
R2.1. This program will ensure that all personnel having such access to Critical Cyber Assets,
including contractors and service vendors, are trained prior to their being granted such
access except in specified circumstances such as an emergency.
R2.2. Training shall cover the policies, access controls, and procedures as developed for the
Critical Cyber Assets covered by CIP-004-4, and include, at a minimum, the following
required items appropriate to personnel roles and responsibilities:
R2.2.1. The proper use of Critical Cyber Assets;
R2.2.2. Physical and electronic access controls to Critical Cyber Assets;
R2.2.3. The proper handling of Critical Cyber Asset information; and,
R2.2.4. Action plans and procedures to recover or re-establish Critical Cyber Assets
and access thereto following a Cyber Security Incident.
R2.3. The Responsible Entity shall maintain documentation that training is conducted at least
annually, including the date the training was completed and attendance records.
R3. Personnel Risk Assessment The Responsible Entity shall have a documented personnel risk
assessment program, in accordance with federal, state, provincial, and local laws, and subject to
existing collective bargaining unit agreements, for personnel having authorized cyber or
authorized unescorted physical access to Critical Cyber Assets. A personnel risk assessment
shall be conducted pursuant to that program prior to such personnel being granted such access
except in specified circumstances such as an emergency.
The personnel risk assessment program shall at a minimum include:
R3.1. The Responsible Entity shall ensure that each assessment conducted include, at least,
identity verification (e.g., Social Security Number verification in the U.S.) and seven-
year criminal check. The Responsible Entity may conduct more detailed reviews, as
permitted by law and subject to existing collective bargaining unit agreements,
depending upon the criticality of the position.
R3.2. The Responsible Entity shall update each personnel risk assessment at least every seven
years after the initial personnel risk assessment or for cause.
R3.3. The Responsible Entity shall document the results of personnel risk assessments of its
personnel having authorized cyber or authorized unescorted physical access to Critical
Cyber Assets, and that personnel risk assessments of contractor and service vendor
personnel with such access are conducted pursuant to Standard CIP-004-4.
R4. Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including their specific
electronic and physical access rights to Critical Cyber Assets.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 3 of 11
R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to
Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any
change of personnel with such access to Critical Cyber Assets, or any change in the
access rights of such personnel. The Responsible Entity shall ensure access list(s) for
contractors and service vendors are properly maintained.
R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24
hours for personnel terminated for cause and within seven calendar days for personnel
who no longer require such access to Critical Cyber Assets.
C. Measures
M1. The Responsible Entity shall make available documentation of its security awareness and
reinforcement program as specified in Requirement R1.
M2. The Responsible Entity shall make available documentation of its cyber security training
program, review, and records as specified in Requirement R2.
M3. The Responsible Entity shall make available documentation of the personnel risk assessment
program and that personnel risk assessments have been applied to all personnel who have
authorized cyber or authorized unescorted physical access to Critical Cyber Assets, as
specified in Requirement R3.
M4. The Responsible Entity shall make available documentation of the list(s), list review and
update, and access revocation as needed as specified in Requirement R4.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 4 of 11
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.2. The RE shall serve as the CEA with the following exceptions:
1.2.1 For entities that do not work for the Regional Entity, the Regional Entity shall
serve as the Compliance Enforcement Authority.
1.2.2 For Reliability Coordinators and other functional entities that work for their
Regional Entity, the ERO shall serve as the Compliance Enforcement Authority.
1.2.3 For Responsible Entities that are also Regional Entities, the ERO or a Regional
Entity approved by the ERO and FERC or other applicable governmental
authorities shall serve as the Compliance Enforcement Authority.
1.2.4 For the ERO, a third-party monitor without vested interest in the outcome for the
ERO shall serve as the Compliance Enforcement Authority.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep personnel risk assessment documents in
accordance with federal, state, provincial, and local laws.
1.4.2 The Responsible Entity shall keep all other documentation required by Standard
CIP-004-4 from the previous full calendar year unless directed by its Compliance
Enforcement Authority to retain specific evidence for a longer period of time as
part of an investigation.
1.4.3 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
2. Violation Severity Levels
Standard CIP0044a Cyber Security Pers onnel and Training
Page 5 of 11
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1. LOWER
The Responsible Entity
established,
implemented, and
maintained but did not
document a security
awareness program to
ensure personnel having
authorized cyber or
authorized unescorted
physical access to
Critical Cyber Assets
receive ongoing
reinforcement in sound
security practices.
The Responsibility Entity did
not provide security awareness
reinforcement on at least a
quarterly basis.
The Responsible Entity did document but did not establish,
implement, nor maintain a security awareness program to
ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive
on-going reinforcement in sound security practices.
The Responsible Entity did not establish, implement, maintain,
nor document a security awareness program to ensure personnel
having authorized cyber or authorized unescorted physical access
to Critical Cyber Assets receive on-going reinforcement in sound
security practices.
R2. LOWER
The Responsible Entity
established,
implemented, and
maintained but did not
document an annual
cyber security training
program for personnel
having authorized cyber
or authorized unescorted
physical access to
Critical Cyber Assets.
The Responsibility Entity did
not review the training program
on an annual basis.
The Responsible Entity did document but did not establish,
implement, nor maintain an annual cyber security training
program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets.
The Responsible Entity did not establish, document, implement,
nor maintain an annual cyber security training program for
personnel having authorized cyber or authorized unescorted
physical access to Critical Cyber Assets.
R2.1. MEDIUM
At least one individual
but less than 5% of
personnel having
authorized cyber or
unescorted physical
access to Critical Cyber
Assets, including
contractors and service
vendors, were not
trained prior to their
being granted such
access except in
specified circumstances
such as an emergency.
At least 5% but less than 10% of
all personnel having authorized
cyber or unescorted physical
access to Critical Cyber Assets,
including contractors and service
vendors, were not trained prior
to their being granted such
access except in specified
circumstances such as an
emergency.
At least 10% but less than 15% of all personnel having
authorized cyber or unescorted physical access to Critical
Cyber Assets, including contractors and service vendors,
were not trained prior to their being granted such access
except in specified circumstances such as an emergency.
15% or more of all personnel having authorized cyber or
unescorted physical access to Critical Cyber Assets, including
contractors and service vendors, were not trained prior to their
being granted such access except in specified circumstances such
as an emergency.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 6 of 11
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R2.2. MEDIUM
N/A The training does not include
one of the minimum topics as
detailed in R2.2.1, R2.2.2,
R2.2.3, R2.2.4.
The training does not include two of the minimum topics as
detailed in R2.2.1, R2.2.2, R2.2.3, R2.2.4.
The training does not include three or more of the minimum
topics as detailed in R2.2.1, R2.2.2, R2.2.3, R2.2.4.
R2.2.1. LOWER
N/A N/A N/A N/A
R2.2.2. LOWER
N/A N/A N/A N/A
R2.2.3. LOWER
N/A N/A N/A N/A
R2.2.4. LOWER
N/A N/A N/A N/A
R2.3. LOWER
N/A N/A The Responsible Entity did maintain documentation that
training is conducted at least annually, but did not include
either the date the training was completed or attendance
records.
The Responsible Entity did not maintain documentation that
training is conducted at least annually, including the date the
training was completed or attendance records.
R3. MEDIUM
N/A The Responsible Entity has a
personnel risk assessment
program, in accordance with
federal, state, provincial, and
local laws, and subject to
existing collective bargaining
unit agreements, for personnel
having authorized cyber or
authorized unescorted physical
access, but the program is not
documented.
The Responsible Entity has a personnel risk assessment
program as stated in R3, but conducted the personnel risk
assessment pursuant to that program after such personnel
were granted such access except in specified circumstances
such as an emergency.
The Responsible Entity does not have a documented personnel
risk assessment program, in accordance with federal, state,
provincial, and local laws, and subject to existing collective
bargaining unit agreements, for personnel having authorized
cyber or authorized unescorted physical access.
OR
The Responsible Entity did not conduct the personnel risk
assessment pursuant to that program for personnel granted such
access except in specified circumstances such as an emergency.
R3.1. LOWER
N/A N/A The Responsible Entity did not ensure that an assessment
conducted included an identity verification (e.g., Social
Security Number verification in the U.S.) or a seven-year
criminal check.
The Responsible Entity did not ensure that each assessment
conducted include, at least, identity verification (e.g., Social
Security Number verification in the U.S.) and seven-year
criminal check.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 7 of 11
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R3.2. LOWER
N/A The Responsible Entity did not
update each personnel risk
assessment at least every seven
years after the initial personnel
risk assessment but did update it
for cause when applicable.
The Responsible Entity did not update each personnel risk
assessment for cause (when applicable) but did at least
updated it every seven years after the initial personnel risk
assessment.
The Responsible Entity did not update each personnel risk
assessment at least every seven years after the initial personnel
risk assessment nor was it updated for cause when applicable.
R3.3. LOWER
The Responsible Entity
did not document the
results of personnel risk
assessments for at least
one individual but less
than 5% of all personnel
with authorized cyber or
authorized unescorted
physical access to
Critical Cyber Assets,
pursuant to Standard
CIP-004-4.
The Responsible Entity did not
document the results of
personnel risk assessments for
5% or more but less than 10% of
all personnel with authorized
cyber or authorized unescorted
physical access to Critical Cyber
Assets, pursuant to Standard
CIP-004-4.
The Responsible Entity did not document the results of
personnel risk assessments for 10% or more but less than
15% of all personnel with authorized cyber or authorized
unescorted physical access to Critical Cyber Assets, pursuant
to Standard CIP-004-4.
The Responsible Entity did not document the results of personnel
risk assessments for 15% or more of all personnel with
authorized cyber or authorized unescorted physical access to
Critical Cyber Assets, pursuant to Standard CIP-004-4.
R4. LOWER
The Responsible Entity
did not maintain
complete list(s) of
personnel with
authorized cyber or
authorized unescorted
physical access to
Critical Cyber Assets,
including their specific
electronic and physical
access rights to Critical
Cyber Assets, missing at
least one individual but
less than 5% of the
authorized personnel.
The Responsible Entity did not
maintain complete list(s) of
personnel with authorized cyber
or authorized unescorted
physical access to Critical Cyber
Assets, including their specific
electronic and physical access
rights to Critical Cyber Assets,
missing 5% or more but less
than 10% of the authorized
personnel.
The Responsible Entity did not maintain complete list(s) of
personnel with authorized cyber or authorized unescorted
physical access to Critical Cyber Assets, including their
specific electronic and physical access rights to Critical
Cyber Assets, missing 10% or more but less than 15%of the
authorized personnel.
The Responsible Entity did not maintain complete list(s) of
personnel with authorized cyber or authorized unescorted
physical access to Critical Cyber Assets, including their specific
electronic and physical access rights to Critical Cyber Assets,
missing 15% or more of the authorized personnel.
R4.1. LOWER
N/A The Responsible Entity did not
review the list(s) of its personnel
who have access to Critical
Cyber Assets quarterly.
The Responsible Entity did not update the list(s) within
seven calendar days of any change of personnel with such
access to Critical Cyber Assets, nor any change in the access
rights of such personnel.
The Responsible Entity did not review the list(s) of all personnel
who have access to Critical Cyber Assets quarterly, nor update
the list(s) within seven calendar days of any change of personnel
with such access to Critical Cyber Assets, nor any change in the
access rights of such personnel.
R4.2. MEDIUM
N/A The Responsible Entity did not
revoke access within seven
calendar days for personnel who
no longer require such access to
Critical Cyber Assets.
The Responsible Entity did not revoke access to Critical
Cyber Assets within 24 hours for personnel terminated for
cause.
The Responsible Entity did not revoke access to Critical Cyber
Assets within 24 hours for personnel terminated for cause nor
within seven calendar days for personnel who no longer require
such access to Critical Cyber Assets.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 8 of 11
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
1 01/16/06 D.2.2.4 Insert the phrase for cause as
intended. One instance of personnel termination
for cause
03/24/06
1 06/01/06 D.2.1.4 Change access control rights to
access rights.
06/05/06
2 Modifications to clarify the requirements and to
bring the compliance elements into conformance
with the latest guidelines for developing
compliance elements of standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a responsible
entity.
Rewording of Effective Date.
Reference to emergency situations.
Modification to R1 for the Responsible Entity to
establish, document, implement, and maintain the
awareness program.
Modification to R2 for the Responsible Entity to
establish, document, implement, and maintain the
training program; also stating the requirements for
the cyber security training program.
Modification to R3 Personnel Risk Assessment to
clarify that it pertains to personnel having
authorized cyber or authorized unescorted physical
access to Critical Cyber Assets.
Removal of 90 day window to complete training
and 30 day window to complete personnel risk
assessments.
Changed compliance monitor to Compliance
Enforcement Authority.
3 Update version number from -2 to -3
3 12/16/09 Approved by NERC Board of Trustees Update
4 Board
approved
01/24/2011
Update version number from 3 to 4 Update to conform to
changes to CIP-002-4
(Project 2008-06)
4 4/19/12 FERC Order issued approving CIP-004-4 (approval
becomes effective June 25, 2012)
Added approved VRF/VSL table to section D.2.
Standard CIP0044a Cyber Security Pers onnel and Training
Page 9 of 11
3a/4a 5/24/12 Interpretation of R2, R3, and R4 adopted by NERC
Board of Trustees
3a/4a 12/13/12 Interpretation of R2, R3, and R4 approved by
FERC in a Letter Order issued December 12, 2012
Standard CIP0044a Cyber Security Pers onnel and Training
Page 10 of 11
Appendix 1
Requirement Number and Text of Requirement
R2. Training The Responsible Entity shall establish, maintain, and document an annual cyber
security training program for personnel having authorized cyber or authorized unescorted physical
access to Critical Cyber Assets, and review the program annually and update as necessary.
R2.1. This program will ensure that all personnel having such access to Critical Cyber Assets,
including contractors and service vendors, are trained within ninety calendar days of such
authorization.
R3. Personnel Risk Assessment The Responsible Entity shall have a documented personnel risk
assessment program, in accordance with federal, state, provincial, and local laws, and subject to
existing collective bargaining unit agreements, for personnel having authorized cyber or authorized
unescorted physical access. A personnel risk assessment shall be conducted pursuant to that program
within thirty days of such personnel being granted such access. Such program shall at a minimum
include:
R4. Access The Responsible Entity shall maintain list(s) of personnel with authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and
physical access rights to Critical Cyber Assets.
Question 1
The WECC RC seeks clarification on the definition of authorized access as applied to temporary
support from vendors.
Do the training, risk assessment and access requirements specified in R2, R3, and R4 apply to vendors
who are supervised? Assuming that a supervised vendor is exempt from CIP-004-1, Requirements R2,
R3 and R4, would temporary, indirect and monitored access such as that provided through remote
terminal sessions (WebEx, etc.) or escorted physical access be considered supervision?
Response to Question 1
WECC asks three questions, which are listed below. The answer to each question follows the question.
1. WECC seeks clarification on the definition of authorized access as applied to temporary
support from vendors.
Answer: While the Glossary of Terms used in NERC Reliability Standards does not have a definition
of authorized access, CIP-004-1, Requirement R4 requires that an entity shall maintain list(s) of
personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets,
including their specific electronic and physical access rights to Critical Cyber Assets. For purposes
of CIP-004-1, an individual has authorized access if he or she is on that list, and, as a result, is
subject to Requirements R2, R3, and R4.
2. Do the training, risk assessment, and access requirements specified in R2, R3, and R4 apply to
vendors who are supervised?
Standard CIP0044a Cyber Security Pers onnel and Training
Page 11 of 11
Answer: As written, all cyber access to Critical Cyber Assets must be authorized, and all authorized
access must comply with Requirements R2, R3, and R4.
1
Through the use of the qualifier
unescorted with regard to physical access, CIP-004-1, Requirement R2, implies the concept of
supervision for physical access when an individual is not authorized, and CIP-006 R1.6 also allows
for escorted unauthorized physical access via a visitor program. There is no similar qualifier or
reference in the requirement that mentions escorted or otherwise implies supervision for cyber
access within CIP-004. Furthermore, there is no mention of any escorted unauthorized cyber access
within CIP-007 similar to the visitor program in CIP-006 R1.6. Compared to physical access, the
concept or any words relating to escorting or supervision in the requirement language is absent
relative to cyber access.
3. Assuming that a supervised vendor is exempt from CIP-004-1, Requirements R2, R3, and R4,
would temporary, indirect and monitored access such as that provided through remote terminal
sessions (WebEx, etc.) or escorted physical access be considered supervision?
Answer: To the extent a vendor is escorted to physically access a Critical Cyber Asset for purposes
other than direct cyber access (e.g., replacing parts on the Critical Cyber Asset), supervision is
acceptable (within the context of escorted physical access). If the escorted physical access includes
bringing a vendor or other individual to the Critical Cyber Asset to direct someone with authorized
access in performing cyber access, such supervision is also acceptable within the language of the
requirement, since the vendor or other individual is merely present while an authorized individual
conducts the actual cyber access. However, the requirement language does not support the notion of
physically escorting a vendor or other individual to a Critical Cyber Asset for the vendor or other
individual to perform cyber access, even if supervised. Even if it is possible to provide supervised
cyber access to Critical Cyber Assets, there is no basis or contemplation of escorted cyber access
whatsoever in CIP-004, whether remotely or in person.
1
The drafting team also notes that the FAQ referenced in the request for interpretation is not the same as an
approved Reliability Standard and is not mandatory and enforceable. The FAQ was not developed or approved
through the same standards development process, and cannot be used to substitute for the language in the standard
itself. The drafting team also notes that the concept of unsupervised trusted access in the FAQ applies only to
Version 1which contained a 30 and 90 day provision for training and personnel risk assessments for personnel
with authorized cyber access and authorized unescorted physical accessand it was not modified to conform to the
changes made in subsequent versions.
CIP0045CyberSecurityPersonnel&Training
Page1of52
A. I ntroduction
1. Title: CyberSecurityPersonnel&Training
2. Number: CIP0045
3. Purpose: Tominimizetheriskagainstcompromisethatcouldleadtomisoperationor
instabilityintheBESfromindividualsaccessingBESCyberSystemsbyrequiringanappropriate
levelofpersonnelriskassessment,training,andsecurityawarenessinsupportofprotecting
BESCyberSystems.
4. Applicability:
4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,thefollowing
listoffunctionalentitieswillbecollectivelyreferredtoasResponsibleEntities.For
requirementsinthisstandardwhereaspecificfunctionalentityorsubsetoffunctional
entitiesaretheapplicableentityorentities,thefunctionalentityorentitiesarespecified
explicitly.
4.1.1. BalancingAuthority
4.1.2. DistributionProviderthatownsoneormoreofthefollowingFacilities,systems,and
equipmentfortheprotectionorrestorationoftheBES:
4.1.2.1. EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding
(UVLS)systemthat:
4.1.2.1.1. ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.1.2.1.2. performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,of
300MWormore.
4.1.2.2. EachSpecialProtectionSystemorRemedialActionSchemewheretheSpecial
ProtectionSystemorRemedialActionSchemeissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.1.2.3. EachProtectionSystem(excludingUFLSandUVLS)thatappliestoTransmission
wheretheProtectionSystemissubjecttooneormorerequirementsinaNERC
orRegionalReliabilityStandard.
4.1.2.4. EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.1.3. GeneratorOperator
4.1.4. GeneratorOwner
4.1.5. InterchangeCoordinatororInterchangeAuthority
CIP0045CyberSecurityPersonnel&Training
Page2of52
4.1.6. ReliabilityCoordinator
4.1.7. TransmissionOperator
4.1.8. TransmissionOwner
4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowing
Facilities,systems,andequipmentownedbyeachResponsibleEntityin4.1aboveare
thosetowhichtheserequirementsareapplicable.Forrequirementsinthisstandard
whereaspecifictypeofFacilities,system,orequipmentorsubsetofFacilities,systems,
andequipmentareapplicable,thesearespecifiedexplicitly.
4.2.1. DistributionProvider:OneormoreofthefollowingFacilities,systemsand
equipmentownedbytheDistributionProviderfortheprotectionorrestorationof
theBES:
4.2.1.1. EachUFLSorUVLSSystemthat:
4.2.1.1.1. ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.2.1.1.2. performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,of
300MWormore.
4.2.1.2. EachSpecialProtectionSystemorRemedialActionSchemewheretheSpecial
ProtectionSystemorRemedialActionSchemeissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.2.1.3. EachProtectionSystem(excludingUFLSandUVLS)thatappliestoTransmission
wheretheProtectionSystemissubjecttooneormorerequirementsinaNERC
orRegionalReliabilityStandard.
4.2.1.4. EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.2.2. ResponsibleEntitieslistedin4.1otherthanDistributionProviders:
AllBESFacilities.
4.2.3. Exemptions:ThefollowingareexemptfromStandardCIP0045:
4.2.3.1. CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafetyCommission.
4.2.3.2. CyberAssetsassociatedwithcommunicationnetworksanddata
communicationlinksbetweendiscreteElectronicSecurityPerimeters.
4.2.3.3. Thesystems,structures,andcomponentsthatareregulatedbytheNuclear
RegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.
Section73.54.
CIP0045CyberSecurityPersonnel&Training
Page3of52
4.2.3.4. ForDistributionProviders,thesystemsandequipmentthatarenotincludedin
section4.2.1above.
4.2.3.5. ResponsibleEntitiesthatidentifythattheyhavenoBESCyberSystems
categorizedashighimpactormediumimpactaccordingtotheCIP0025
identificationandcategorizationprocesses.
5.EffectiveDates:
1. 24MonthsMinimumCIP0045shallbecomeeffectiveonthelaterofJuly1,2015,orthe
firstcalendardayoftheninthcalendarquarteraftertheeffectivedateoftheorder
providingapplicableregulatoryapproval.
2. Inthosejurisdictionswherenoregulatoryapprovalisrequired,CIP0045shallbecome
effectiveonthefirstdayoftheninthcalendarquarterfollowingBoardofTrustees
approval,orasotherwisemadeeffectivepursuanttothelawsapplicabletosuchERO
governmentalauthorities.
6.Background:
StandardCIP0045existsaspartofasuiteofCIPStandardsrelatedtocybersecurity.CIP0025
requirestheinitialidentificationandcategorizationofBESCyberSystems.CIP0035,CIP004
5,CIP0055,CIP0065,CIP0075,CIP0085,CIP0095,CIP0101andCIP0111requirea
minimumleveloforganizational,operationalandproceduralcontrolstomitigaterisktoBES
CyberSystems.ThissuiteofCIPStandardsisreferredtoastheVersion5CIPCyberSecurity
Standards.
Mostrequirementsopenwith,EachResponsibleEntityshallimplementoneormore
documented[processes,plan,etc]thatincludetheapplicableitemsin[TableReference].The
referencedtablerequirestheapplicableitemsintheproceduresfortherequirementscommon
subjectmatter.
TheSDThasincorporatedwithinthisstandardarecognitionthatcertainrequirementsshould
notfocusonindividualinstancesoffailureasasolebasisforviolatingthestandard.In
particular,theSDThasincorporatedanapproachtoempowerandenabletheindustryto
identify,assess,andcorrectdeficienciesintheimplementationofcertainrequirements.The
intentistochangethebasisofaviolationinthoserequirementssothattheyarenotfocused
onwhetherthereisadeficiency,butonidentifying,assessing,andcorrectingdeficiencies.Itis
presentedinthoserequirementsbymodifyingimplementasfollows:
EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,and
correctsdeficiencies,...
Thetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictothe
ResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyanyparticular
namingorapprovalstructurebeyondwhatisstatedintherequirements.Anentityshould
includeasmuchasitbelievesnecessaryintheirdocumentedprocesses,buttheymustaddress
theapplicablerequirementsinthetable.Thedocumentedprocessesthemselvesarenot
requiredtoincludethe...identifies,assesses,andcorrectsdeficiencies,..."elements
describedintheprecedingparagraph,asthoseaspectsarerelatedtothemannerof
CIP0045CyberSecurityPersonnel&Training
Page4of52
implementationofthedocumentedprocessesandcouldbeaccomplishedthroughother
controlsorcompliancemanagementactivities.
Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesseswhereit
makessenseandiscommonlyunderstood.Forexample,documentedprocessesdescribinga
responsearetypicallyreferredtoasplans(i.e.,incidentresponseplansandrecoveryplans).
Likewise,asecurityplancandescribeanapproachinvolvingmultipleprocedurestoaddressa
broadsubjectmatter.
Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationofits
policies,plansandproceduresinvolvingasubjectmatter.Examplesinthestandardsinclude
thepersonnelriskassessmentprogramandthepersonneltrainingprogram.Thefull
implementationoftheCIPCyberSecurityStandardscouldalsobereferredtoasaprogram.
However,thetermsprogramandplandonotimplyanyadditionalrequirementsbeyondwhat
isstatedinthestandards.
ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsformultiplehigh
andmediumimpactBESCyberSystems.Forexample,asingletrainingprogramcouldmeetthe
requirementsfortrainingpersonnelacrossmultipleBESCyberSystems.
Measuresfortheinitialrequirementaresimplythedocumentedprocessesthemselves.
Measuresinthetablerowsprovideexamplesofevidencetoshowdocumentationand
implementationofapplicableitemsinthedocumentedprocesses.Thesemeasuresserveto
provideguidancetoentitiesinacceptablerecordsofcomplianceandshouldnotbeviewedas
anallinclusivelist.
Throughoutthestandards,unlessotherwisestated,bulleteditemsintherequirementsand
measuresareitemsthatarelinkedwithanor,andnumbereditemsareitemsthatarelinked
withanand.
ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSandUVLS.
Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion1oftheCIP
CyberSecurityStandards.Thethresholdremainsat300MWsinceitisspecificallyaddressing
UVLSandUFLS,whicharelastditcheffortstosavetheBulkElectricSystem.AreviewofUFLS
tolerancesdefinedwithinregionalreliabilitystandardsforUFLSprogramrequirementstodate
indicatesthatthehistoricalvalueof300MWrepresentsanadequateandreasonablethreshold
valueforallowableUFLSoperationaltolerances.
ApplicableSystemsColumnsinTables:
EachtablehasanApplicableSystemscolumntofurtherdefinethescopeofsystemstowhich
aspecificrequirementrowapplies.TheCSO706SDTadaptedthisconceptfromtheNational
InstituteofStandardsandTechnology(NIST)RiskManagementFrameworkasawayof
applyingrequirementsmoreappropriatelybasedonimpactandconnectivitycharacteristics.
ThefollowingconventionsareusedintheApplicableSystemscolumnasdescribed.
HighImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedashighimpact
accordingtotheCIP0025identificationandcategorizationprocesses.
CIP0045CyberSecurityPersonnel&Training
Page5of52
MediumImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedasmedium
impactaccordingtotheCIP0025identificationandcategorizationprocesses.
MediumImpactBESCyberSystemswithExternalRoutableConnectivityOnlyappliesto
mediumimpactBESCyberSystemswithExternalRoutableConnectivity.Thisalsoexcludes
CyberAssetsintheBESCyberSystemthatcannotbedirectlyaccessedthroughExternal
RoutableConnectivity.
ElectronicAccessControlorMonitoringSystems(EACMS)AppliestoeachElectronic
AccessControlorMonitoringSystemassociatedwithareferencedhighimpactBESCyber
SystemormediumimpactBESCyberSystem.Examplesmayinclude,butarenotlimitedto,
firewalls,authenticationservers,andlogmonitoringandalertingsystems.
PhysicalAccessControlSystems(PACS)AppliestoeachPhysicalAccessControlSystem
associatedwithareferencedhighimpactBESCyberSystemormediumimpactBESCyber
SystemwithExternalRoutableConnectivity.
CIP0045CyberSecurityPersonnel&Training
Page6of52
B. Requirements and Measures
R1. EachResponsibleEntityshallimplementoneormoredocumentedprocessesthatcollectivelyincludeeachofthe
applicablerequirementpartsinCIP0045TableR1SecurityAwarenessProgram.[ViolationRiskFactor:Lower][Time
Horizon:OperationsPlanning]
M1. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0045TableR1SecurityAwarenessProgramandadditionalevidencetodemonstrate
implementationasdescribedintheMeasurescolumnofthetable.
CIP0045TableR1SecurityAwarenessProgram
Part ApplicableSystems Requirements Measures
1.1 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
Securityawarenessthat,atleastonce
eachcalendarquarter,reinforcescyber
securitypractices(whichmayinclude
associatedphysicalsecuritypractices)
fortheResponsibleEntityspersonnel
whohaveauthorizedelectronicor
authorizedunescortedphysicalaccess
toBESCyberSystems.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
thatthequarterlyreinforcementhas
beenprovided.Examplesofevidence
ofreinforcementmayinclude,butare
notlimitedto,datedcopiesof
informationusedtoreinforcesecurity
awareness,aswellasevidenceof
distribution,suchas:
directcommunications(for
example,emails,memos,
computerbasedtraining);or
indirectcommunications(for
example,posters,intranet,or
brochures);or
managementsupportand
reinforcement(forexample,
presentationsormeetings).
CIP0045CyberSecurityPersonnel&Training
Page7of52
R2. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,acybersecurity
trainingprogram(s)appropriatetoindividualroles,functions,orresponsibilitiesthatcollectivelyincludeseachofthe
applicablerequirementpartsinCIP0045TableR2CyberSecurityTrainingProgram.[ViolationRiskFactor:Lower][Time
Horizon:OperationsPlanning]
M2.EvidencemustincludethetrainingprogramthatincludeseachoftheapplicablerequirementpartsinCIP0045TableR2
CyberSecurityTrainingProgramandadditionalevidencetodemonstrateimplementationoftheprogram(s).
CIP0045CyberSecurityPersonnel&Training
Page8of52
CIP0045TableR2CyberSecurityTrainingProgram
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Trainingcontenton:
2.1.1. Cybersecuritypolicies;
2.1.2. Physicalaccesscontrols;
2.1.3. Electronicaccesscontrols;
2.1.4. Thevisitorcontrolprogram;
2.1.5. HandlingofBESCyberSystem
Informationanditsstorage;
2.1.6. IdentificationofaCyber
SecurityIncidentandinitial
notificationsinaccordance
withtheentitysincident
responseplan;
2.1.7. RecoveryplansforBESCyber
Systems;
2.1.8. ResponsetoCyberSecurity
Incidents;and
2.1.9. Cybersecurityrisksassociated
withaBESCyberSystems
electronicinterconnectivity
andinteroperabilitywith
otherCyberAssets.
Examplesofevidencemayinclude,
butarenotlimitedto,training
materialsuchaspowerpoint
presentations,instructornotes,
studentnotes,handouts,orother
trainingmaterials.
CIP0045CyberSecurityPersonnel&Training
Page9of52
CIP0045TableR2CyberSecurityTrainingProgram
Part ApplicableSystems Requirements Measures
2.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Requirecompletionofthetraining
specifiedinPart2.1priortogranting
authorizedelectronicaccessand
authorizedunescortedphysicalaccess
toapplicableCyberAssets,except
duringCIPExceptionalCircumstances.
Examplesofevidencemayinclude,
butarenotlimitedto,training
recordsanddocumentationofwhen
CIPExceptionalCircumstanceswere
invoked.
2.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Requirecompletionofthetraining
specifiedinPart2.1atleastonce
every15calendarmonths.
Examplesofevidencemayinclude,
butarenotlimitedto,dated
individualtrainingrecords.
R3. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedpersonnelriskassessmentprogramstoattainandretainauthorizedelectronicorauthorizedunescorted
physicalaccesstoBESCyberSystemsthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0045Table
R3PersonnelRiskAssessmentProgram.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning].
CIP0045CyberSecurityPersonnel&Training
Page10of52
M3. Evidencemustincludethedocumentedpersonnelriskassessmentprogramsthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0045TableR3PersonnelRiskAssessmentProgramandadditionalevidencetodemonstrate
implementationoftheprogram(s).
CIP0045TableR3PersonnelRiskAssessmentProgram
Part ApplicableSystems Requirements Measures
3.1 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Processtoconfirmidentity. Anexampleofevidencemay
include,butisnotlimitedto,
documentationoftheResponsible
Entitysprocesstoconfirmidentity.
CIP0045CyberSecurityPersonnel&Training
Page11of52
CIP0045TableR3PersonnelRiskAssessmentProgram
Part ApplicableSystems Requirements Measures
3.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Processtoperformasevenyear
criminalhistoryrecordscheckaspartof
eachpersonnelriskassessmentthat
includes:
3.2.1.currentresidence,regardlessof
duration;and
3.2.2.otherlocationswhere,during
thesevenyearsimmediatelypriorto
thedateofthecriminalhistory
recordscheck,thesubjecthasresided
forsixconsecutivemonthsormore.
Ifitisnotpossibletoperformafull
sevenyearcriminalhistoryrecords
check,conductasmuchoftheseven
yearcriminalhistoryrecordscheckas
possibleanddocumentthereasonthe
fullsevenyearcriminalhistoryrecords
checkcouldnotbeperformed.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentationof
theResponsibleEntitysprocessto
performasevenyearcriminalhistory
recordscheck.
CIP0045CyberSecurityPersonnel&Training
Page12of52
CIP0045TableR3PersonnelRiskAssessmentProgram
Part ApplicableSystems Requirements Measures
3.3 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Criteriaorprocesstoevaluatecriminal
historyrecordschecksforauthorizing
access.
Anexampleofevidencemay
include,butisnotlimitedto,
documentationofthe
ResponsibleEntitysprocessto
evaluatecriminalhistoryrecords
checks.
3.4 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Criteriaorprocessforverifyingthat
personnelriskassessmentsperformedfor
contractorsorservicevendorsare
conductedaccordingtoParts3.1through
3.3.
Anexampleofevidencemay
include,butisnotlimitedto,
documentationofthe
ResponsibleEntityscriteriaor
processforverifyingcontractors
orservicevendorspersonnelrisk
assessments.
CIP0045CyberSecurityPersonnel&Training
Page13of52
R4. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedaccessmanagementprogramsthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0045
TableR4AccessManagementProgram.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanningandSameDay
Operations].
M4. EvidencemustincludethedocumentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP
0045TableR4AccessManagementProgramandadditionalevidencetodemonstratethattheaccessmanagement
programwasimplementedasdescribedintheMeasurescolumnofthetable.
CIP0045TableR3PersonnelRiskAssessmentProgram
Part ApplicableSystems Requirements Measures
3.5 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Processtoensurethatindividualswith
authorizedelectronicorauthorized
unescortedphysicalaccesshavehada
personnelriskassessmentcompleted
accordingtoParts3.1to3.4withinthelast
sevenyears.
Anexampleofevidencemay
include,butisnotlimitedto,
documentationofthe
ResponsibleEntitysprocessfor
ensuringthatindividualswith
authorizedelectronicor
authorizedunescortedphysical
accesshavehadapersonnelrisk
assessmentcompletedwithinthe
lastsevenyears.
CIP0045CyberSecurityPersonnel&Training
Page14of52
CIP0045TableR4AccessManagementProgram
Part ApplicableSystems Requirements Measures
4.1 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Processtoauthorizebasedonneed,as
determinedbytheResponsibleEntity,
exceptforCIPExceptional
Circumstances:
4.1.1. Electronicaccess;
4.1.2. Unescortedphysicalaccessintoa
PhysicalSecurityPerimeter;and
4.1.3. Accesstodesignatedstorage
locations,whetherphysicalor
electronic,forBESCyberSystem
Information.
Anexampleofevidencemay
include,butisnotlimitedto,dated
documentationoftheprocessto
authorizeelectronicaccess,
unescortedphysicalaccessina
PhysicalSecurityPerimeter,and
accesstodesignatedstorage
locations,whetherphysicalor
electronic,forBESCyberSystem
Information.
CIP0045CyberSecurityPersonnel&Training
Page15of52
CIP0045TableR4AccessManagementProgram
Part ApplicableSystems Requirements Measures
4.2 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Verifyatleastonceeachcalendar
quarterthatindividualswithactive
electronicaccessorunescortedphysical
accesshaveauthorizationrecords.
Examplesofevidencemayinclude,
butarenotlimitedto:
Dateddocumentationofthe
verificationbetweenthesystem
generatedlistofindividualswho
havebeenauthorizedforaccess
(i.e.,workflowdatabase)anda
systemgeneratedlistof
personnelwhohaveaccess(i.e.,
useraccountlisting),or
Dateddocumentationofthe
verificationbetweenalistof
individualswhohavebeen
authorizedforaccess(i.e.,
authorizationforms)andalist
ofindividualsprovisionedfor
access(i.e.,provisioningforms
orsharedaccountlisting).
CIP0045CyberSecurityPersonnel&Training
Page16of52
CIP0045TableR4AccessManagementProgram
Part ApplicableSystems Requirements Measures
4.3 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Forelectronicaccess,verifyatleastonce
every15calendarmonthsthatalluser
accounts,useraccountgroups,oruser
rolecategories,andtheirspecific,
associatedprivilegesarecorrectandare
thosethattheResponsibleEntity
determinesarenecessary.
Anexampleofevidencemay
include,butisnotlimitedto,
documentationofthereviewthat
includesallofthefollowing:
1. Adatedlistingofall
accounts/accountgroupsor
roleswithinthesystem;
2. Asummarydescriptionof
privilegesassociatedwith
eachgrouporrole;
3. Accountsassignedtothe
grouporrole;and
4. Datedevidenceshowing
verificationoftheprivileges
forthegroupareauthorized
andappropriatetothework
functionperformedby
peopleassignedtoeach
account.
CIP0045CyberSecurityPersonnel&Training
Page17of52
CIP0045TableR4AccessManagementProgram
Part ApplicableSystems Requirements Measures
4.4 HighImpactBESCyberSystemsandtheir
associated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemswith
ExternalRoutableConnectivityandtheir
associated:
1. EACMS;and
2. PACS
Verifyatleastonceevery15calendar
monthsthataccesstothedesignated
storagelocationsforBESCyberSystem
Information,whetherphysicalor
electronic,arecorrectandarethosethat
theResponsibleEntitydeterminesare
necessaryforperformingassignedwork
functions.
Anexampleofevidencemay
include,butisnotlimitedto,the
documentationofthereviewthat
includesallofthefollowing:
1. Adatedlistingof
authorizationsforBESCyber
Systeminformation;
2. Anyprivilegesassociated
withtheauthorizations;and
3. Datedevidenceshowinga
verificationofthe
authorizationsandany
privilegeswereconfirmed
correctandtheminimum
necessaryforperforming
assignedworkfunctions.
CIP0045CyberSecurityPersonnel&Training
Page18of52
R5. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedaccessrevocationprogramsthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0045
TableR5AccessRevocation.[ViolationRiskFactor:Medium][TimeHorizon:SameDayOperationsandOperations
Planning].
M5. Evidencemustincludeeachoftheapplicabledocumentedprogramsthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0045TableR5AccessRevocationandadditionalevidencetodemonstrateimplementationas
describedintheMeasurescolumnofthetable.
CIP0045TableR5AccessRevocation
Part ApplicableSystems Requirements Measures
5.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Aprocesstoinitiateremovalofan
individualsabilityforunescorted
physicalaccessandInteractiveRemote
Accessuponaterminationaction,and
completetheremovalswithin24hours
oftheterminationaction(Removalof
theabilityforaccessmaybedifferent
thandeletion,disabling,revocation,or
removalofallaccessrights).
Anexampleofevidencemayinclude,
butisnotlimitedto,documentationof
allofthefollowing:
1. Datedworkfloworsignoffform
verifyingaccessremoval
associatedwiththetermination
action;and
2. Logsorotherdemonstration
showingsuchpersonsnolonger
haveaccess.
CIP0045CyberSecurityPersonnel&Training
Page19of52
CIP0045TableR5AccessRevocation
Part ApplicableSystems Requirements Measures
5.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Forreassignmentsortransfers,revoke
theindividualsauthorizedelectronic
accesstoindividualaccountsand
authorizedunescortedphysicalaccess
thattheResponsibleEntitydetermines
arenotnecessarybytheendofthe
nextcalendardayfollowingthedate
thattheResponsibleEntitydetermines
thattheindividualnolongerrequires
retentionofthataccess.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentationof
allofthefollowing:
1. Datedworkfloworsignoffform
showingareviewoflogicaland
physicalaccess;and
2. Logsorotherdemonstration
showingsuchpersonsnolonger
haveaccessthatthe
ResponsibleEntitydetermines
isnotnecessary.
CIP0045CyberSecurityPersonnel&Training
Page20of52
CIP0045TableR5AccessRevocation
Part ApplicableSystems Requirements Measures
5.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PACS
Forterminationactions,revokethe
individualsaccesstothedesignated
storagelocationsforBESCyberSystem
Information,whetherphysicalor
electronic(unlessalreadyrevoked
accordingtoRequirementR5.1),bythe
endofthenextcalendardayfollowing
theeffectivedateofthetermination
action.
Anexampleofevidencemayinclude,
butisnotlimitedto,workfloworsign
offformverifyingaccessremovalto
designatedphysicalareasorcyber
systemscontainingBESCyberSystem
Informationassociatedwiththe
terminationsanddatedwithinthenext
calendardayoftheterminationaction.
CIP0045CyberSecurityPersonnel&Training
Page21of52
CIP0045TableR5AccessRevocation
Part ApplicableSystems Requirements Measures
5.4 HighImpactBESCyberSystemsand
theirassociated:
EACMS
Forterminationactions,revokethe
individualsnonshareduseraccounts
(unlessalreadyrevokedaccordingto
Parts5.1or5.3)within30calendar
daysoftheeffectivedateofthe
terminationaction.
Anexampleofevidencemayinclude,
butisnotlimitedto,workfloworsign
offformshowingaccessremovalfor
anyindividualBESCyberAssetsand
softwareapplicationsasdetermined
necessarytocompletingtherevocation
ofaccessanddatedwithinthirty
calendardaysofthetermination
actions.
CIP0045CyberSecurityPersonnel&Training
Page22of52
CIP0045TableR5AccessRevocation
Part ApplicableSystems Requirements Measures
5.5 HighImpactBESCyberSystemsand
theirassociated:
EACMS
Forterminationactions,change
passwordsforsharedaccount(s)known
totheuserwithin30calendardaysof
theterminationaction.For
reassignmentsortransfers,change
passwordsforsharedaccount(s)known
totheuserwithin30calendardays
followingthedatethattheResponsible
Entitydeterminesthattheindividualno
longerrequiresretentionofthat
access.
IftheResponsibleEntitydetermines
anddocumentsthatextenuating
operatingcircumstancesrequirea
longertimeperiod,changethe
password(s)within10calendardays
followingtheendoftheoperating
circumstances.
Examplesofevidencemayinclude,but
arenotlimitedto:
Workfloworsignoffform
showingpasswordresetwithin
30calendardaysofthe
termination;
Workfloworsignoffform
showingpasswordresetwithin
30calendardaysofthe
reassignmentsortransfers;or
Documentationofthe
extenuatingoperating
circumstanceandworkflowor
signoffformshowingpassword
resetwithin10calendardays
followingtheendofthe
operatingcircumstance.
CIP0045CyberSecurityPersonnel&Training
Page23of52
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)
unlesstheapplicableentityisowned,operated,orcontrolledbytheRegional
Entity.InsuchcasestheEROoraRegionalEntityapprovedbyFERCorother
applicablegovernmentalauthorityshallserveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityis
requiredtoretainspecificevidencetodemonstratecompliance.Forinstances
wheretheevidenceretentionperiodspecifiedbelowisshorterthanthetime
sincethelastaudit,theCEAmayaskanentitytoprovideotherevidencetoshow
thatitwascompliantforthefulltimeperiodsincethelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceas
identifiedbelowunlessdirectedbyitsCEAtoretainspecificevidencefora
longerperiodoftimeaspartofaninvestigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthis
standardforthreecalendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformation
relatedtothenoncomplianceuntilmitigationiscompleteandapprovedor
forthetimespecifiedabove,whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmitted
subsequentauditrecords.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0045CyberSecurityPersonnel&Training
Page24of52
2.TableofComplianceElements
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
R1 Operations
Planning
Lower The
Responsible
Entitydidnot
reinforcecyber
security
practices
duringa
calendar
quarterbutdid
solessthan10
calendardays
afterthestart
ofa
subsequent
calendar
quarter.(1.1)
TheResponsibleEntity
didnotreinforcecyber
securitypracticesduring
acalendarquarterbut
didsobetween10and
30calendardaysafter
thestartofa
subsequentcalendar
quarter.(1.1)
TheResponsibleEntity
didnotreinforcecyber
securitypracticesduring
acalendarquarterbut
didsowithinthe
subsequentquarterbut
beyond30calendar
daysafterthestartof
thatcalendarquarter.
(1.1)
TheResponsibleEntity
didnotdocumentor
implementanysecurity
awarenessprocess(es)
toreinforcecyber
securitypractices.(R1)
OR
TheResponsibleEntity
didnotreinforcecyber
securitypracticesand
associatedphysical
securitypracticesforat
leasttwoconsecutive
calendarquarters.(1.1)
R2 Operations
Planning
Lower The
Responsible
Entity
implementeda
cybersecurity
training
programbut
failedto
includeoneof
thetraining
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
includetwoofthe
trainingcontenttopics
inRequirementParts
2.1.1through2.1.9,and
didnotidentify,assess
andcorrectthe
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
includethreeofthe
trainingcontenttopics
inRequirementParts
2.1.1through2.1.9,and
didnotidentify,assess
andcorrectthe
TheResponsibleEntity
didnotimplementa
cybersecuritytraining
programappropriateto
individualroles,
functions,or
responsibilities.(R2)
OR
TheResponsibleEntity
CIP0045CyberSecurityPersonnel&Training
Page25of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
contenttopics
inRequirement
Parts2.1.1
through2.1.9,
anddidnot
identify,assess
andcorrectthe
deficiencies.
(2.1)
OR
The
Responsible
Entity
implementeda
cybersecurity
training
programbut
failedtotrain
oneindividual
(withthe
exceptionof
CIPExceptional
Circumstances)
priortotheir
beinggranted
authorized
electronicand
authorized
deficiencies.(2.1)
OR
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
traintwoindividuals
(withtheexceptionof
CIPExceptional
Circumstances)priorto
theirbeinggranted
authorizedelectronic
andauthorized
unescortedphysical
access,anddidnot
identify,assessand
correctthedeficiencies.
(2.2)
OR
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
traintwoindividuals
withauthorized
electronicorauthorized
unescortedphysical
deficiencies.(2.1)
OR
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
trainthreeindividuals
(withtheexceptionof
CIPExceptional
Circumstances)priorto
theirbeinggranted
authorizedelectronic
andauthorized
unescortedphysical
access,anddidnot
identify,assessand
correctthedeficiencies.
(2.2)
OR
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
trainthreeindividuals
withauthorized
electronicorauthorized
unescortedphysical
implementedacyber
securitytraining
programbutfailedto
includefourormoreof
thetrainingcontent
topicsinRequirement
Parts2.1.1through
2.1.9,anddidnot
identify,assessand
correctthedeficiencies.
(2.1)
OR
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
trainfourormore
individuals(withthe
exceptionofCIP
Exceptional
Circumstances)priorto
theirbeinggranted
authorizedelectronic
andauthorized
unescortedphysical
access,anddidnot
identify,assessand
correctthedeficiencies.
CIP0045CyberSecurityPersonnel&Training
Page26of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
unescorted
physicalaccess,
anddidnot
identify,assess
andcorrectthe
deficiencies.
(2.2)
OR
The
Responsible
Entity
implementeda
cybersecurity
training
programbut
failedtotrain
oneindividual
withauthorized
electronicor
authorized
unescorted
physicalaccess
within15
calendar
monthsofthe
previous
training
completion
accesswithin15
calendarmonthsofthe
previoustraining
completiondate,and
didnotidentify,assess
andcorrectthe
deficiencies.(2.3)
accesswithin15
calendarmonthsofthe
previoustraining
completiondate,and
didnotidentify,assess
andcorrectthe
deficiencies.(2.3)
(2.2)
OR
TheResponsibleEntity
implementedacyber
securitytraining
programbutfailedto
trainfourormore
individualswith
authorizedelectronicor
authorizedunescorted
physicalaccesswithin
15calendarmonthsof
theprevioustraining
completiondate,and
didnotidentify,assess
andcorrectthe
deficiencies.(2.3)
CIP0045CyberSecurityPersonnel&Training
Page27of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
date,anddid
notidentify,
assessand
correctthe
deficiencies.
(2.3)
R3 Operations
Planning
Medium The
Responsible
Entityhasa
programfor
conducting
PersonnelRisk
Assessments
(PRAs)for
individuals,
including
contractorsand
service
vendors,but
didnotconduct
thePRAasa
conditionof
granting
authorized
electronicor
authorized
unescorted
physicalaccess
TheResponsibleEntity
hasaprogramfor
conductingPersonnel
RiskAssessments(PRAs)
forindividuals,including
contractorsandservice
vendors,butdidnot
conductthePRAasa
conditionofgranting
authorizedelectronicor
authorizedunescorted
physicalaccessfortwo
individuals,anddidnot
identify,assess,and
correctthedeficiencies.
(R3)
OR
TheResponsibleEntity
didconductPersonnel
RiskAssessments(PRAs)
forindividuals,including
TheResponsibleEntity
hasaprogramfor
conductingPersonnel
RiskAssessments(PRAs)
forindividuals,including
contractorsandservice
vendors,butdidnot
conductthePRAasa
conditionofgranting
authorizedelectronicor
authorizedunescorted
physicalaccessforthree
individuals,anddidnot
identify,assess,and
correctthedeficiencies.
(R3)
OR
TheResponsibleEntity
didconductPersonnel
RiskAssessments(PRAs)
forindividuals,including
TheResponsibleEntity
didnothaveallofthe
requiredelementsas
describedby3.1
through3.4included
withindocumented
program(s)for
implementingPersonnel
RiskAssessments
(PRAs),forindividuals,
includingcontractors
andservicevendors,for
obtainingandretaining
authorizedcyberor
authorizedunescorted
physicalaccess.(R3)
OR
TheResponsibleEntity
hasaprogramfor
conductingPersonnel
RiskAssessments(PRAs)
CIP0045CyberSecurityPersonnel&Training
Page28of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
forone
individual,and
didnot
identify,assess,
andcorrectthe
deficiencies.
(R3)
OR
The
Responsible
Entitydid
conduct
PersonnelRisk
Assessments
(PRAs)for
individuals,
including
contractorsand
service
vendors,with
authorized
electronicor
authorized
unescorted
physicalaccess
butdidnot
confirm
identityforone
contractorsandservice
vendors,with
authorizedelectronicor
authorizedunescorted
physicalaccessbutdid
notconfirmidentityfor
twoindividuals,anddid
notidentify,assess,and
correctthedeficiencies.
(3.1&3.4)
OR
TheResponsibleEntity
hasaprocessto
performsevenyear
criminalhistoryrecord
checksforindividuals,
includingcontractors
andservicevendors,
withauthorized
electronicorauthorized
unescortedphysical
accessbutdidnot
includetherequired
checksdescribedin
3.2.1and3.2.2fortwo
individuals,anddidnot
identify,assess,and
correctthedeficiencies.
contractorsandservice
vendors,with
authorizedelectronicor
authorizedunescorted
physicalaccessbutdid
notconfirmidentityfor
threeindividuals,and
didnotidentify,assess,
andcorrectthe
deficiencies.(3.1&3.4)
OR
TheResponsibleEntity
hasaprocessto
performsevenyear
criminalhistoryrecord
checksforindividuals,
includingcontractors
andservicevendors,
withauthorized
electronicorauthorized
unescortedphysical
accessbutdidnot
includetherequired
checksdescribedin
3.2.1and3.2.2forthree
individuals,anddidnot
identify,assess,and
correctthedeficiencies.
forindividuals,including
contractorsandservice
vendors,butdidnot
conductthePRAasa
conditionofgranting
authorizedelectronicor
authorizedunescorted
physicalaccessforfour
ormoreindividuals,and
didnotidentify,assess,
andcorrectthe
deficiencies.(R3)
OR
TheResponsibleEntity
didconductPersonnel
RiskAssessments(PRAs)
forindividuals,including
contractorsandservice
vendors,with
authorizedelectronicor
authorizedunescorted
physicalaccessbutdid
notconfirmidentityfor
fourormoreindividuals,
anddidnotidentify,
assess,andcorrectthe
deficiencies.(3.1&3.4)
CIP0045CyberSecurityPersonnel&Training
Page29of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
individual,and
didnot
identify,assess,
andcorrectthe
deficiencies.
(3.1&3.4)
OR
The
Responsible
Entityhasa
processto
performseven
yearcriminal
historyrecord
checksfor
individuals,
including
contractorsand
service
vendors,with
authorized
electronicor
authorized
unescorted
physicalaccess
butdidnot
includethe
required
(3.2&3.4)
OR
TheResponsibleEntity
didconductPersonnel
RiskAssessments(PRAs)
forindividuals,including
contractorsandservice
vendors,with
authorizedelectronicor
authorizedunescorted
physicalaccessbutdid
notevaluatecriminal
historyrecordscheck
foraccessauthorization
fortwoindividuals,and
didnotidentify,assess,
andcorrectthe
deficiencies.(3.3&3.4)
OR
TheResponsibleEntity
didnotconduct
PersonnelRisk
Assessments(PRAs)for
twoindividualswith
authorizedelectronicor
authorizedunescorted
physicalaccesswithin7
(3.2&3.4)
OR
TheResponsibleEntity
didconductPersonnel
RiskAssessments(PRAs)
forindividuals,including
contractorsandservice
vendors,with
authorizedelectronicor
authorizedunescorted
physicalaccessbutdid
notevaluatecriminal
historyrecordscheck
foraccessauthorization
forthreeindividuals,
anddidnotidentify,
assess,andcorrectthe
deficiencies.(3.3&3.4)
OR
TheResponsibleEntity
didnotconduct
PersonnelRisk
Assessments(PRAs)for
threeindividualswith
authorizedelectronicor
authorizedunescorted
physicalaccesswithin7
OR
TheResponsibleEntity
hasaprocessto
performsevenyear
criminalhistoryrecord
checksforindividuals,
includingcontractors
andservicevendors,
withauthorized
electronicorauthorized
unescortedphysical
accessbutdidnot
includetherequired
checksdescribedin
3.2.1and3.2.2forfour
ormoreindividuals,and
didnotidentify,assess,
andcorrectthe
deficiencies.(3.2&3.4)
OR
TheResponsibleEntity
didconductPersonnel
RiskAssessments(PRAs)
forindividuals,including
contractorsandservice
vendors,with
authorizedelectronicor
CIP0045CyberSecurityPersonnel&Training
Page30of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
checks
describedin
3.2.1and3.2.2
forone
individual,and
didnot
identify,assess,
andcorrectthe
deficiencies.
(3.2&3.4)
OR
The
Responsible
Entitydid
conduct
PersonnelRisk
Assessments
(PRAs)for
individuals,
including
contractorsand
service
vendors,with
authorized
electronicor
authorized
unescorted
physicalaccess
calendaryearsofthe
previousPRA
completiondate,and
didnotidentify,assess,
andcorrectthe
deficiencies.(3.5)
calendaryearsofthe
previousPRA
completiondate,and
didnotidentify,assess,
andcorrectthe
deficiencies.(3.5)
authorizedunescorted
physicalaccessbutdid
notevaluatecriminal
historyrecordscheck
foraccessauthorization
forfourormore
individuals,anddidnot
identify,assess,and
correctthedeficiencies.
(3.3&3.4)
OR
TheResponsibleEntity
didnotconduct
PersonnelRisk
Assessments(PRAs)for
fourormoreindividuals
withauthorized
electronicorauthorized
unescortedphysical
accesswithin7calendar
yearsoftheprevious
PRAcompletiondate
andhasidentified
deficiencies,anddidnot
identify,assess,and
correctthedeficiencies.
(3.5)
CIP0045CyberSecurityPersonnel&Training
Page31of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
butdidnot
evaluate
criminalhistory
recordscheck
foraccess
authorization
forone
individual,and
didnot
identify,assess,
andcorrectthe
deficiencies.
(3.3&3.4)
OR
The
Responsible
Entitydidnot
conduct
PersonnelRisk
Assessments
(PRAs)forone
individualwith
authorized
electronicor
authorized
unescorted
physicalaccess
within7
CIP0045CyberSecurityPersonnel&Training
Page32of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
calendaryears
oftheprevious
PRA
completion
date,anddid
notidentify,
assess,and
correctthe
deficiencies.
(3.5)
R4 Operations
Planning
andSame
Day
Operations
Lower
The
Responsible
Entitydidnot
verifythat
individualswith
active
electronicor
active
unescorted
physicalaccess
have
authorization
recordsduring
acalendar
quarterbutdid
solessthan10
calendardays
afterthestart
TheResponsibleEntity
didnotverifythat
individualswithactive
electronicoractive
unescortedphysical
accesshave
authorizationrecords
duringacalendar
quarterbutdidso
between10and30
calendardaysafterthe
startofasubsequent
calendarquarter,and
didnotidentify,assess,
andcorrectthe
deficiencies.(4.2)
OR
TheResponsibleEntity
didnotverifythat
individualswithactive
electronicoractive
unescortedphysical
accesshave
authorizationrecords
duringacalendar
quarterbutdidso
between10and30
calendardaysafterthe
startofasubsequent
calendarquarter,and
didnotidentify,assess,
andcorrectthe
deficiencies.(4.2)
OR
TheResponsibleEntity
didnotimplementany
documentedprogram(s)
foraccessmanagement.
(R4)
OR
TheResponsibleEntity
hasimplementedoneor
moredocumented
program(s)foraccess
managementthat
includesaprocessto
authorizeelectronic
access,unescorted
physicalaccess,or
accesstothedesignated
storagelocationswhere
CIP0045CyberSecurityPersonnel&Training
Page33of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
ofa
subsequent
calendar
quarter,and
didnot
identify,assess
andcorrectthe
deficiencies.
(4.2)
OR
The
Responsible
Entityhas
implemented
processesto
verifythatuser
accounts,user
account
groups,oruser
rolecategories,
andtheir
specific,
associated
privilegesare
correctand
necessary
within15
TheResponsibleEntity
hasimplemented
processestoverifythat
useraccounts,user
accountgroups,oruser
rolecategories,and
theirspecific,associated
privilegesarecorrect
andnecessarywithin15
calendarmonthsofthe
previousverificationbut
fortwoBESCyber
Systems,privilegeswere
incorrector
unnecessary,anddid
notidentify,assess,and
correctthedeficiencies.
(4.3)
OR
TheResponsibleEntity
hasimplemented
processestoverifythat
accesstothedesignated
storagelocationsfor
BESCyberSystem
Informationiscorrect
andnecessarywithin15
TheResponsibleEntity
hasimplemented
processestoverifythat
useraccounts,user
accountgroups,oruser
rolecategories,and
theirspecific,associated
privilegesarecorrect
andnecessarywithin15
calendarmonthsofthe
previousverificationbut
forthreeBESCyber
Systems,privilegeswere
incorrector
unnecessary,anddid
notidentify,assess,and
correctthedeficiencies.
(4.3)
OR
TheResponsibleEntity
hasimplemented
processestoverifythat
accesstothedesignated
storagelocationsfor
BESCyberSystem
Informationiscorrect
andnecessarywithin15
BESCyberSystem
Informationislocated,
anddidnotidentify,
assess,andcorrectthe
deficiencies.(4.1)
OR
TheResponsibleEntity
didnotverifythat
individualswithactive
electronicoractive
unescortedphysical
accesshave
authorizationrecords
foratleasttwo
consecutivecalendar
quarters,anddidnot
identify,assess,and
correctthedeficiencies.
(4.2)
OR
TheResponsibleEntity
hasimplemented
processestoverifythat
useraccounts,user
accountgroups,oruser
rolecategories,and
theirspecific,associated
CIP0045CyberSecurityPersonnel&Training
Page34of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
calendar
monthsofthe
previous
verificationbut
foroneBES
CyberSystem,
privilegeswere
incorrector
unnecessary,
anddidnot
identify,assess
andcorrectthe
deficiencies.
(4.3)
OR
The
Responsible
Entityhas
implemented
processesto
verifythat
accesstothe
designated
storage
locationsfor
BESCyber
System
Informationis
calendarmonthsofthe
previousverificationbut
fortwoBESCyber
SystemInformation
storagelocations,
privilegeswere
incorrector
unnecessary,anddid
notidentify,assess,and
correctthedeficiencies.
(4.4)
calendarmonthsofthe
previousverificationbut
forthreeBESCyber
SystemInformation
storagelocations,
privilegeswere
incorrector
unnecessary,anddid
notidentify,assess,and
correctthedeficiencies.
(4.4)
privilegesarecorrect
andnecessarywithin15
calendarmonthsofthe
previousverificationbut
forfourormoreBES
CyberSystems,
privilegeswere
incorrector
unnecessary,anddid
notidentify,assess,and
correctthedeficiencies.
(4.3)
OR
TheResponsibleEntity
hasimplemented
processestoverifythat
accesstothedesignated
storagelocationsfor
BESCyberSystem
Informationiscorrect
andnecessarywithin15
calendarmonthsofthe
previousverificationbut
forfourormoreBES
CyberSystem
Informationstorage
locations,privileges
CIP0045CyberSecurityPersonnel&Training
Page35of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
correctand
necessary
within15
calendar
monthsofthe
previous
verificationbut
foroneBES
CyberSystem
Information
storage
location,
privilegeswere
incorrector
unnecessary,
anddidnot
identify,assess
andcorrectthe
deficiencies.
(4.4)
wereincorrector
unnecessary,anddid
notidentify,assess,and
correctthedeficiencies.
(4.4)
R5 SameDay
Operations
and
Operations
Planning
Medium
The
Responsible
Entityhas
implemented
oneormore
process(es)to
revokethe
individuals
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
removetheabilityfor
unescortedphysical
accessandInteractive
RemoteAccessupona
terminationactionor
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
removetheabilityfor
unescortedphysical
accessandInteractive
RemoteAccessupona
terminationactionor
TheResponsibleEntity
hasnotimplemented
anydocumented
program(s)foraccess
revocationforelectronic
access,unescorted
physicalaccess,orBES
CyberSystem
CIP0045CyberSecurityPersonnel&Training
Page36of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
accesstothe
designated
storage
locationsfor
BESCyber
System
Information
but,forone
individual,did
notdosoby
theendofthe
nextcalendar
dayfollowing
theeffective
dateandtime
ofthe
termination
action,anddid
notidentify,
assess,and
correctthe
deficiencies.
(5.3)
OR
The
Responsible
Entityhas
implemented
completetheremoval
within24hoursofthe
terminationactionbut
didnotinitiatethose
removalsforone
individual,anddidnot
identify,assess,and
correctthedeficiencies.
(5.1)
OR
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
determinethatan
individualnolonger
requiresretentionof
accessfollowing
reassignmentsor
transfersbut,forone
individual,didnot
revoketheauthorized
electronicaccessto
individualaccountsand
authorizedunescorted
physicalaccessbythe
endofthenextcalendar
completetheremoval
within24hoursofthe
terminationactionbut
didnotinitiatethose
removalsfortwo
individuals,anddidnot
identify,assess,and
correctthedeficiencies.
(5.1)
OR
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
determinethatan
individualnolonger
requiresretentionof
accessfollowing
reassignmentsor
transfersbut,fortwo
individuals,didnot
revoketheauthorized
electronicaccessto
individualaccountsand
authorizedunescorted
physicalaccessbythe
endofthenextcalendar
Informationstorage
locations.(R5)
OR
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
removetheabilityfor
unescortedphysical
accessandInteractive
RemoteAccessupona
terminationactionor
completetheremoval
within24hoursofthe
terminationactionbut
didnotinitiatethose
removalsforthreeor
moreindividuals,and
didnotidentify,assess,
andcorrectthe
deficiencies.(5.1)
OR
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
determinethatan
individualnolonger
CIP0045CyberSecurityPersonnel&Training
Page37of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
oneormore
process(es)to
revokethe
individuals
useraccounts
upon
termination
actionbutdid
notdosofor
within30
calendardays
ofthedateof
termination
actionforone
ormore
individuals,and
didnot
identify,assess,
andcorrectthe
deficiencies.
(5.4)
OR
The
Responsible
Entityhas
implemented
oneormore
process(es)to
dayfollowingthe
predetermineddate,
anddidnotidentify,
assess,andcorrectthe
deficiencies.(5.2)
OR
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
revoketheindividuals
accesstothedesignated
storagelocationsfor
BESCyberSystem
Informationbut,fortwo
individuals,didnotdo
sobytheendofthe
nextcalendarday
followingtheeffective
dateandtimeofthe
terminationaction,and
didnotidentify,assess,
andcorrectthe
deficiencies.(5.3)
dayfollowingthe
predetermineddate,
anddidnotidentify,
assess,andcorrectthe
deficiencies.(5.2)
OR
TheResponsibleEntity
hasimplementedoneor
moreprocess(es)to
revoketheindividuals
accesstothedesignated
storagelocationsfor
BESCyberSystem
Informationbut,for
threeormore
individuals,didnotdo
sobytheendofthe
nextcalendarday
followingtheeffective
dateandtimeofthe
terminationaction,and
didnotidentify,assess,
andcorrectthe
deficiencies.(5.3)
requiresretentionof
accessfollowing
reassignmentsor
transfersbut,forthree
ormoreindividuals,did
notrevokethe
authorizedelectronic
accesstoindividual
accountsandauthorized
unescortedphysical
accessbytheendofthe
nextcalendarday
followingthe
predetermineddate,
anddidnotidentify,
assess,andcorrectthe
deficiencies.(5.2)
CIP0045CyberSecurityPersonnel&Training
Page38of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
change
passwordsfor
shared
accounts
knowntothe
userupon
termination
action,
reassignment,
ortransfer,but
didnotdoso
forwithin30
calendardays
ofthedateof
termination
action,
reassignment,
ortransferfor
oneormore
individuals,and
didnot
identify,assess,
andcorrectthe
deficiencies.
(5.5)
OR
The
Responsible
CIP0045CyberSecurityPersonnel&Training
Page39of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
Entityhas
implemented
oneormore
process(es)to
determineand
document
extenuating
operating
circumstances
followinga
termination
action,
reassignment,
ortransfer,but
didnotchange
oneormore
passwordsfor
shared
accounts
knowntothe
userwithin10
calendardays
followingthe
endofthe
extenuating
operating
circumstances,
anddidnot
CIP0045CyberSecurityPersonnel&Training
Page40of52
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0045)
LowerVSL ModerateVSL HighVSL SevereVSL
identify,assess,
andcorrectthe
deficiencies.
(5.5)
GuidelinesandTechnicalBasis
Page41of52
D. Regional Variances
None.
E. I nterpretations
None.
F. Associated Documents
None.
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
Thesecurityawarenessprogramisintendedtobeaninformationalprogram,notaformal
trainingprogram.Itshouldreinforcesecuritypracticestoensurethatpersonnelmaintain
awarenessofbestpracticesforbothphysicalandelectronicsecuritytoprotectitsBESCyber
Systems.TheResponsibleEntityisnotrequiredtoproviderecordsthatshowthateach
individualreceivedorunderstoodtheinformation,buttheymustmaintaindocumentationof
theprogrammaterialsutilizedintheformofposters,memos,and/orpresentations.
Examplesofpossiblemechanismsandevidence,whendated,whichcanbeusedare:
GuidelinesandTechnicalBasis
Page42of52
Directcommunications(e.g.,emails,memos,computerbasedtraining,etc.);
Indirectcommunications(e.g.,posters,intranet,brochures,etc.);
Managementsupportandreinforcement(e.g.,presentations,meetings,etc.).
RequirementR2:
Trainingshallcoverthepolicies,accesscontrols,andproceduresasdevelopedfortheBES
CyberSystemsandinclude,ataminimum,therequireditemsappropriatetopersonnelroles
andresponsibilitiesfromTableR2.TheResponsibleEntityhastheflexibilitytodefinethe
trainingprogramanditmayconsistofmultiplemodulesandmultipledeliverymechanisms,but
asingletrainingprogramforallindividualsneedingtobetrainedisacceptable.Thetraining
canfocusonfunctions,rolesorresponsibilitiesatthediscretionoftheResponsibleEntity.
Onenewelementinthetrainingcontentisintendedtoencompassnetworkinghardwareand
softwareandotherissuesofelectronicinterconnectivitysupportingtheoperationandcontrol
ofBESCyberSystemsasperFERCOrderNo.706,Paragraph434.Thisisnotintendedto
providetechnicaltrainingtoindividualssupportingnetworkinghardwareandsoftware,but
educatingsystemusersofthecybersecurityrisksassociatedwiththeinterconnectednessof
thesesystems.Theusers,basedontheirfunction,roleorresponsibility,shouldhaveabasic
understandingofwhichsystemscanbeaccessedfromothersystemsandhowtheactionsthey
takecanaffectcybersecurity.
EachResponsibleEntityshallensureallpersonnelwhoaregrantedauthorizedelectronicaccess
and/orauthorizedunescortedphysicalaccesstoitsBESCyberSystems,includingcontractors
andservicevendors,completecybersecuritytrainingpriortotheirbeinggrantedauthorized
access,exceptforCIPExceptionalCircumstances.Toretaintheauthorizedaccesses,individuals
mustcompletethetrainingatleastoneevery15months.
RequirementR3:
EachResponsibleEntityshallensureapersonnelriskassessmentisperformedforallpersonnel
whoaregrantedauthorizedelectronicaccessand/orauthorizedunescortedphysicalaccessto
itsBESCyberSystems,includingcontractorsandservicevendors,priortotheirbeinggranted
authorizedaccess,exceptforprogramspecifiedexceptionalcircumstancesthatareapproved
bythesingleseniormanagementofficialortheirdelegateandimpactthereliabilityoftheBES
oremergencyresponse.Identityshouldbeconfirmedinaccordancewithfederal,state,
provincial,andlocallaws,andsubjecttoexistingcollectivebargainingunitagreements.
Identityonlyneedstobeconfirmedpriortoinitiallygrantingaccessandonlyrequiresperiodic
confirmationaccordingtotheentitysprocessduringthetenureofemployment,whichmayor
maynotbethesameastheinitialverificationaction.
Asevenyearcriminalhistorycheckshouldbeperformedforthoselocationswherethe
individualhasresidedforatleastsixconsecutivemonths.Thischeckshouldalsobeperformed
inaccordancewithfederal,state,provincial,andlocallaws,andsubjecttoexistingcollective
bargainingunitagreements.Whenitisnotpossibletoperformafullsevenyearcriminal
historycheck,documentationmustbemadeofwhatcriminalhistorycheckwasperformed,and
thereasonsafullsevenyearcheckcouldnotbeperformed.Examplesofthiscouldinclude
GuidelinesandTechnicalBasis
Page43of52
individualsundertheageof25whereajuvenilecriminalhistorymaybeprotectedbylaw,
individualswhomayhaveresidedinlocationsfromwhereitisnotpossibletoobtainacriminal
historyrecordscheck,violatesthelaworisnotallowedundertheexistingcollectivebargaining
agreement.TheResponsibleEntityshouldconsidertheabsenceofinformationforthefull
sevenyearswhenassessingtheriskofgrantingaccessduringtheprocesstoevaluatethe
criminalhistorycheck.Thereneedstobeapersonnelriskassessmentthathasbeencompleted
withinthelastsevenyearsforeachindividualwithaccess.Anewcriminalhistoryrecordscheck
mustbeperformedaspartofthenewPRA.Individualswhohavebeengrantedaccessundera
previousversionofthesestandardsneedanewPRAwithinsevenyearsofthedateoftheirlast
PRA.Theclarificationsaroundthesevenyearcriminalhistorycheckinthisversiondonot
requireanewPRAbeperformedbytheimplementationdate.
RequirementR4:
AuthorizationforelectronicandunescortedphysicalaccessandaccesstoBESCyberSystem
Informationmustbeonthebasisofnecessityintheindividualperformingaworkfunction.
Documentationshowingtheauthorizationshouldhavesomejustificationofthebusinessneed
included.Toensurepropersegregationofduties,accessauthorizationandprovisioningshould
notbeperformedbythesamepersonwherepossible.
Thisrequirementspecifiesbothquarterlyreviewsandreviewsatleastonceevery15calendar
months.Quarterlyreviewsaretoperformavalidationthatonlyauthorizedusershavebeen
grantedaccesstoBESCyberSystems.Thisisachievedbycomparingindividualsactually
provisionedtoaBESCyberSystemagainstrecordsofindividualsauthorizedtotheBESCyber
System.Thefocusofthisrequirementisontheintegrityofprovisioningaccessratherthan
individualaccountsonallBESCyberAssets.Thelistofprovisionedindividualscanbean
automaticallygeneratedaccountlisting.However,inaBESCyberSystemwithseveralaccount
databases,thelistofprovisionedindividualsmaycomefromotherrecordssuchasprovisioning
workfloworauseraccountdatabasewhereprovisioningtypicallyinitiates.
Theprivilegereviewatleastonceevery15calendarmonthsismoredetailedtoensurean
individualsassociatedprivilegesaretheminimumnecessarytoperformtheirworkfunction
(i.e.,leastprivilege).Entitiescanmoreefficientlyperformthisreviewbyimplementingrole
basedaccess.Thisinvolvesdeterminingthespecificrolesonthesystem(e.g.,systemoperator,
technician,reportviewer,administrator,etc.)thengroupingaccessprivilegestotheroleand
assigninguserstotherole.Rolebasedaccessdoesnotassumeanyspecificsoftwareandcan
beimplementedbydefiningspecificprovisioningprocessesforeachrolewhereaccessgroup
GuidelinesandTechnicalBasis
Page44of52
assignmentscannotbeperformed.Rolebasedaccesspermissionseliminatetheneedto
performtheprivilegereviewonindividualaccounts.Anexampletimelineofallthereviewsin
RequirementR4isincludedbelow.
SeparationofdutiesshouldbeconsideredwhenperformingthereviewsinRequirementR4.
Thepersonreviewingshouldbedifferentthanthepersonprovisioningaccess.
Iftheresultsofquarterlyoratleastonceevery15calendarmonthsaccountreviewsindicatean
administrativeorclericalerrorinwhichaccesswasnotactuallyprovisioned,thentheSDT
intendsthatthiserrorshouldnotbeconsideredaviolationofthisrequirement.
ForBESCyberSystemsthatdonothaveuseraccountsdefined,thecontrolslistedin
RequirementR4arenotapplicable.However,theResponsibleEntityshoulddocumentsuch
configurations.
RequirementR5:
Therequirementtorevokeaccessatthetimeoftheterminationactionincludesprocedures
showingrevocationofaccessconcurrentwiththeterminationaction.Thisrequirement
recognizesthatthetimingoftheterminationactionmayvarydependingonthecircumstance.
Somecommonscenariosandpossibleprocessesonwhentheterminationactionoccursare
providedinthefollowingtable.Thesescenariosarenotanexhaustivelistofallscenarios,but
arerepresentativeofseveralroutinebusinesspractices.
Scenario PossibleProcess
Immediateinvoluntary
termination
Humanresourcesorcorporatesecurityescortstheindividual
offsiteandthesupervisororhumanresourcespersonnel
notifytheappropriatepersonneltobegintherevocation
process.
Scheduledinvoluntary
termination
Humanresourcespersonnelarenotifiedofthetermination
andworkwithappropriatepersonneltoschedulethe
revocationofaccessatthetimeoftermination.
Voluntarytermination Humanresourcespersonnelarenotifiedofthetermination
andworkwithappropriatepersonneltoschedulethe
revocationofaccessatthetimeoftermination.
Retirementwherethelast
workingdayisseveralweeks
priortotheterminationdate
Humanresourcespersonnelcoordinatewithmanagerto
determinethefinaldateaccessisnolongerneededand
scheduletherevocationofaccessonthedeterminedday.
Death Humanresourcespersonnelarenotifiedofthedeathand
workwithappropriatepersonneltobegintherevocation
process.
GuidelinesandTechnicalBasis
Page45of52
Revocationofelectronicaccessshouldbeunderstoodtomeanaprocesswiththeendresult
thatelectronicaccesstoBESCyberSystemsisnolongerpossibleusingcredentialsassignedto
orknownbytheindividual(s)whoseaccessprivilegesarebeingrevoked.Stepstakento
accomplishthisoutcomemayincludedeletionordeactivationofaccountsusedbythe
individual(s),butnospecificactionsareprescribed.Entitiesshouldconsidertheramifications
ofdeletinganaccountmayincludeincompleteeventlogentriesduetoanunrecognized
accountorsystemservicesusingtheaccounttologon.
TheinitialrevocationrequiredinRequirementR5.1includesunescortedphysicalaccessand
InteractiveRemoteAccess.Thesetwoactionsshouldpreventanyfurtheraccessbythe
individualaftertermination.Ifanindividualstillhaslocalaccessaccounts(i.e.,accountsonthe
CyberAssetitself)onBESCyberAssets,thentheResponsibleEntityhas30daystocompletethe
revocationprocessforthoseaccounts.However,nothingpreventsaResponsibleEntityfrom
performingalloftheaccessrevocationatthetimeoftermination.
Fortransferredorreassignedindividuals,areviewofaccessprivilegesshouldbeperformed.
Thisreviewcouldentailasimplelistingofallauthorizationsforanindividualandworkingwith
therespectivemanagerstodeterminewhichaccesswillstillbeneededinthenewposition.For
instancesinwhichtheindividualstillneedstoretainaccessaspartofatransitoryperiod,the
entityshouldscheduleatimetoreviewtheseaccessprivilegesorincludetheprivilegesinthe
quarterlyaccountrevieworannualprivilegereview.
Revocationofaccesstosharedaccountsiscalledoutseparatelytopreventthesituationwhere
passwordsonsubstationandgenerationdevicesareconstantlychangedduetostaffturnover.
Requirement5.5specifiedthatpasswordsforsharedaccountaretothechangedwithin30
calendardaysoftheterminationactionorwhentheResponsibleEntitydeterminesan
individualnolongerrequiresaccesstotheaccountasaresultofareassignmentortransfer.
The30daysappliesundernormaloperatingconditions.However,circumstancesmayoccur
wherethisisnotpossible.Somesystemsmayrequireanoutageorrebootofthesystemin
ordertocompletethepasswordchange.Inperiodsofextremeheatorcold,manyResponsible
EntitiesmayprohibitsystemoutagesandrebootsinordertomaintainreliabilityoftheBES.
Whenthesecircumstancesoccur,theResponsibleEntitymustdocumentthesecircumstances
andpreparetochangethepasswordwithin10calendardaysfollowingtheendoftheoperating
circumstances.RecordsofactivitiesmustberetainedtoshowthattheResponsibleEntity
followedtheplantheycreated.
GuidelinesandTechnicalBasis
Page46of52
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
EnsuresthatResponsibleEntitieswithpersonnelwhohaveauthorizedelectronicorauthorized
unescortedphysicalaccesstoBESCyberAssetstakeactionsothatthosepersonnelwithsuch
authorizedelectronicorauthorizedunescortedphysicalaccessmaintainawarenessofthe
ResponsibleEntityssecuritypractices.
SummaryofChanges:Reformattedintotablestructure.
Referencetopriorversion:(Part1.1)CIP0044,R1
ChangeRationale:(Part1.1)
Changedtoremovetheneedtoensureorproveeveryonewithauthorizedelectronicor
authorizedunescortedphysicalaccessreceivedongoingreinforcementtostatethatsecurity
awarenesshasbeenreinforced.
Movedexamplemechanismstoguidance.
RationaleforR2:
ToensurethattheResponsibleEntitystrainingprogramforpersonnelwhoneedauthorized
electronicaccessand/orauthorizedunescortedphysicalaccesstoBESCyberSystemscovers
theproperpolicies,accesscontrols,andprocedurestoprotectBESCyberSystemsandare
trainedbeforeaccessisauthorized.
Basedontheirrole,somepersonnelmaynotrequiretrainingonalltopics.
SummaryofChanges:
1.Additionofspecificroletrainingfor:
Thevisitorcontrolprogram
ElectronicinterconnectivitysupportingtheoperationandcontrolofBESCyber
Systems
StoragemediaaspartofthehandlingofBESCyberSystemsinformation
2.ChangereferencesfromCriticalCyberAssetstoBESCyberSystems.
Referencetopriorversion:(Part2.1)CIP0044,R2.2.1
ChangeRationale:(Part2.1)
RemovedproperuseofCriticalCyberAssetsconceptfrompreviousversionstofocusthe
requirementoncybersecurityissues,notthebusinessfunction.Thepreviousversionwas
GuidelinesandTechnicalBasis
Page47of52
focusedmoreonthebusinessorfunctionaluseoftheBESCyberSystemandisoutsidethescope
ofcybersecurity.Personnelwhowilladministerthevisitorcontrolprocessorserveasescorts
forvisitorsneedtrainingontheprogram.CoretrainingonthehandlingofBESCyberSystem
(notCriticalCyberAssets)Information,withtheadditionofstorage;FERCOrderNo.706,
paragraph413andparagraphs632634,688,732734;DHS2.4.16.Coretrainingonthe
identificationandreportingofaCyberSecurityIncident;FERCOrderNo.706,Paragraph413;
RelatedtoCIP0085&DHSIncidentReportingrequirementsforthosewithrolesinincident
reporting.CoretrainingontheactionplansandprocedurestorecoverorreestablishBESCyber
Systemsforpersonnelhavingaroleintherecovery;FERCOrderNo.706,Paragraph413.Core
trainingprogramsareintendedtoencompassnetworkinghardwareandsoftwareandother
issuesofelectronicinterconnectivitysupportingtheoperationandcontrolofBESCyberSystems;
FERCOrderNo.706,Paragraph434.
Referencetopriorversion:(Part2.2)CIP0044,R2.1
ChangeRationale:(Part2.2)
AdditionofexceptionalcircumstancesparametersasdirectedinFERCOrderNo.706,Paragraph
431isdetailedinCIP0035.
Referencetopriorversion:(Part2.3)CIP0044,R2.3
ChangeRationale:(Part2.3)
Updatedtoreplaceannuallywithonceevery15calendarmonths.
RationaleforR3:
Toensurethatindividualswhoneedauthorizedelectronicorauthorizedunescortedphysical
accesstoBESCyberSystemshavebeenassessedforrisk.Whetherinitialaccessormaintaining
access,thosewithaccessmusthavehadapersonnelriskassessmentcompletedwithinthelast
7years.
SummaryofChanges:Specifythatthesevenyearcriminalhistorycheckcoversalllocations
wheretheindividualhasresidedforsixconsecutivemonthsormore,includingcurrent
residenceregardlessofduration.
Referencetopriorversion:(Part3.1)CIP0044,R3.1
ChangeRationale:(Part3.1)
Addressedinterpretationrequestinguidance.Specifiedthatprocessforidentityconfirmationis
required.Theimplementationplanclarifiesthatadocumentedidentityverificationconducted
underanearlierversionoftheCIPstandardsissufficient.
Referencetopriorversion:(Part3.2)CIP0044,R3.1
ChangeRationale:(Part3.2)
Specifythatthesevenyearcriminalhistorycheckcoversalllocationswheretheindividualhas
residedforsixmonthsormore,includingcurrentresidenceregardlessofduration.Added
GuidelinesandTechnicalBasis
Page48of52
additionalwordingbasedoninterpretationrequest.Provisionismadeforwhenafullseven
yearcheckcannotbeperformed.
Referencetopriorversion:(Part3.3)New
ChangeRationale:(Part3.3)
Thereshouldbedocumentedcriteriaoraprocessusedtoevaluatecriminalhistoryrecords
checksforauthorizingaccess.
Referencetopriorversion:(Part3.4)CIP0044,R3.3
ChangeRationale:(Part3.4)
Separatedintoitsowntableitem.
Referencetopriorversion:(Part3.5)CIP0043,R3,R3.3
ChangeRationale:(Part3.5)
Whetherforinitialaccessormaintainingaccess,establishesthatthosewithaccessmusthave
hadPRAcompletedwithin7years.Thiscoversbothinitialandrenewal.Theimplementation
planspecifiesthatinitialperformanceofthisrequirementis7yearsafterthelastpersonnelrisk
assessmentthatwasperformedpursuanttoapreviousversionoftheCIPCyberSecurity
Standardsforapersonnelriskassessment.CIP0043,R3,R3.3
RationaleforR4:
ToensurethatindividualswithaccesstoBESCyberSystemsandthephysicalandelectronic
locationswhereBESCyberSystemInformationisstoredbytheResponsibleEntityhavebeen
properlyauthorizedforsuchaccess.Authorizationshouldbeconsideredtobeagrantof
permissionbyapersonorpersonsempoweredbytheResponsibleEntitytoperformsuch
grantsandincludedinthedelegationsreferencedinCIP0035.Provisioningshouldbe
consideredtheactionstoprovideaccesstoanindividual.
Accessisphysical,logical,andremotepermissionsgrantedtoCyberAssetscomposingtheBES
CyberSystemorallowingaccesstotheBESCyberSystem.Whengranting,reviewing,or
revokingaccess,theResponsibleEntitymustaddresstheCyberAssetspecificallyaswellasthe
systemsusedtoenablesuchaccess(i.e.,physicalaccesscontrolsystem,remoteaccesssystem,
directoryservices).
CIPExceptionalCircumstancesaredefinedinaResponsibleEntityspolicyfromCIP0035and
allowanexceptiontotherequirementforauthorizationtoBESCyberSystemsandBESCyber
SystemInformation.
QuarterlyreviewsinPart4.5aretoperformavalidationthatonlyauthorizedusershavebeen
grantedaccesstoBESCyberSystems.Thisisachievedbycomparingindividualsactually
provisionedtoaBESCyberSystemagainstrecordsofindividualsauthorizedtoaccesstheBES
CyberSystem.Thefocusofthisrequirementisontheintegrityofprovisioningaccessrather
thanindividualaccountsonallBESCyberAssets.Thelistofprovisionedindividualscanbean
automaticallygeneratedaccountlisting.However,inaBESCyberSystemwithseveralaccount
GuidelinesandTechnicalBasis
Page49of52
databases,thelistofprovisionedindividualsmaycomefromotherrecordssuchasprovisioning
workfloworauseraccountdatabasewhereprovisioningtypicallyinitiates.
Iftheresultsofquarterlyorannualaccountreviewsindicateanadministrativeorclericalerror
inwhichaccesswasnotactuallyprovisioned,thentheSDTintendsthattheerrorshouldnotbe
consideredaviolationofthisrequirement.
ForBESCyberSystemsthatdonothaveuseraccountsdefined,thecontrolslistedin
RequirementR4arenotapplicable.However,theResponsibleEntityshoulddocumentsuch
configurations.
SummaryofChanges:Theprimarychangewasinpullingtheaccessmanagementrequirements
fromCIP0034,CIP0044,andCIP0074intoasinglerequirement.Therequirementsfrom
Version4remainlargelyunchangedexcepttoclarifysometerminology.Thepurposefor
combiningtheserequirementsistoremovetheperceivedredundancyinauthorizationand
review.TherequirementinCIP0044R4tomaintainalistofauthorizedpersonnelhasbeen
removedbecausethelistrepresentsonlyoneformofevidencetodemonstratecompliance
thatonlyauthorizedpersonshaveaccess.
Referencetopriorversion:(Part4.1)CIP0034,R5.1andR5.2;CIP0064,R1.5andR4;CIP007
4,R5.1andR5.1.1
ChangeRationale:(Part4.1)
CombinedrequirementsfromCIP0034,CIP0074,andCIP0064tomaketheauthorization
processclearandconsistent.CIP0034,CIP0044,CIP0064,andCIP0074allreference
authorizationofaccessinsomeform,andCIP0034andCIP0074requireauthorizationona
needtoknowbasisorwithrespecttoworkfunctionsperformed.Thesewereconsolidatedto
ensureconsistencyintherequirementlanguage.
Referencetopriorversion:(Part4.2)CIP0044,R4.1
ChangeRationale:(Part4.2)
Feedbackamongteammembers,observers,andregionalCIPauditorsindicatestherehasbeen
confusioninimplementationaroundwhatthetermreviewentailedinCIP0044,Requirement
R4.1.Thisrequirementclarifiesthereviewshouldoccurbetweentheprovisionedaccessand
authorizedaccess.
Referencetopriorversion:(Part4.3)CIP0074,R5.1.3
ChangeRationale:(Part4.3)
Movedrequirementstoensureconsistencyandeliminatethecrossreferencingofrequirements.
Clarifiedwhatwasnecessaryinperformingverificationbystatingtheobjectivewastoconfirm
thataccessprivilegesarecorrectandtheminimumnecessary.
Referencetopriorversion:(Part4.4)CIP0034,R5.1.2
ChangeRationale:(Part4.4)
Movedrequirementtoensureconsistencyamongaccessreviews.Clarifiedprecisemeaningof
annual.Clarifiedwhatwasnecessaryinperformingaverificationbystatingtheobjectivewasto
GuidelinesandTechnicalBasis
Page50of52
confirmaccessprivilegesarecorrectandtheminimumnecessaryforperformingassignedwork
functions.
RationaleforR5:
ThetimelyrevocationofelectronicaccesstoBESCyberSystemsisanessentialelementofan
accessmanagementregime.WhenanindividualnolongerrequiresaccesstoaBESCyber
Systemtoperformhisorherassignedfunctions,thataccessshouldberevoked.Thisisof
particularimportanceinsituationswhereachangeofassignmentoremploymentis
involuntary,asthereisarisktheindividual(s)involvedwillreactinahostileordestructive
manner.
InconsideringhowtoaddressdirectivesinFERCOrderNo.706directingimmediate
revocationofaccessforinvoluntaryseparation,theSDTchosenottospecifyhourlytime
parametersintherequirement(e.g.,revokingaccesswithin1hour).Thepointintimeatwhich
anorganizationterminatesapersoncannotgenerallybedetermineddowntothehour.
However,mostorganizationshaveformalterminationprocesses,andthetimeliestrevocation
ofaccessoccursinconcurrencewiththeinitialprocessesoftermination.
Accessisphysical,logical,andremotepermissionsgrantedtoCyberAssetscomposingtheBES
CyberSystemorallowingaccesstotheBESCyberSystem.Whengranting,reviewing,or
revokingaccess,theResponsibleEntitymustaddresstheCyberAssetspecificallyaswellasthe
systemsusedtoenablesuchaccess(e.g.,physicalaccesscontrolsystem,remoteaccesssystem,
directoryservices).
SummaryofChanges:FERCOrderNo.706,Paragraphs460and461,statethefollowing:The
CommissionadoptstheCIPNOPRproposaltodirecttheEROtodevelopmodificationstoCIP
0041torequireimmediaterevocationofaccessprivilegeswhenanemployee,contractoror
vendornolongerperformsafunctionthatrequiresphysicalorelectronicaccesstoaCritical
CyberAssetforanyreason(includingdisciplinaryaction,transfer,retirement,ortermination).
Asageneralmatter,theCommissionbelievesthatrevokingaccesswhenanemployeeno
longerneedsit,eitherbecauseofachangeinjobortheendofemployment,mustbe
immediate.
Referencetopriorversion:(Part5.1)CIP0044,R4.2
ChangeRationale:(Part5.1)
TheFERCOrderNo.706,Paragraphs460and461,directsmodificationstotheStandardsto
requireimmediaterevocationforanypersonnolongerneedingaccess.Toaddressthis
directive,thisrequirementspecifiesrevocationconcurrentwiththeterminationinsteadof
within24hours.
Referencetopriorversion:(Part5.2)CIP0044,R4.2
ChangeRationale:(Part5.2)
GuidelinesandTechnicalBasis
Page51of52
FERCOrderNo.706,Paragraph460and461,directmodificationstotheStandardstorequire
immediaterevocationforanypersonnolongerneedingaccess,includingtransferred
employees.Inreviewinghowtomodifythisrequirement,theSDTdeterminedthedateaperson
nolongerneedsaccessafteratransferwasproblematicbecausetheneedmaychangeover
time.Asaresult,theSDTadaptedthisrequirementfromNIST80053Version3toreviewaccess
authorizationsonthedateofthetransfer.TheSDTfeltthiswasamoreeffectivecontrolin
accomplishingtheobjectivetopreventapersonfromaccumulatingunnecessaryauthorizations
throughtransfers.
Referencetopriorversion:(Part5.3)New
ChangeRationale:(Part5.3)
FERCOrderNo.706,Paragraph386,directsmodificationstothestandardstorequireprompt
revocationofaccesstoprotectedinformation.Toaddressthisdirective,ResponsibleEntitiesare
requiredtorevokeaccesstoareasdesignatedforBESCyberSystemInformation.Thiscould
includerecordsclosets,substationcontrolhouses,recordsmanagementsystems,filesharesor
otherphysicalandlogicalareasundertheResponsibleEntityscontrol.
Referencetopriorversion:(Part5.4)New
ChangeRationale:(Part5.4)
FERCOrderNo.706,Paragraph460and461,directmodificationstotheStandardstorequire
immediaterevocationforanypersonnolongerneedingaccess.Inordertomeettheimmediate
timeframe,ResponsibleEntitieswilllikelyhaveinitialrevocationprocedurestopreventremote
andphysicalaccesstotheBESCyberSystem.Somecasesmaytakemoretimetocoordinate
accessrevocationonindividualCyberAssetsandapplicationswithoutaffectingreliability.This
requirementprovidestheadditionaltimetoreviewandcompletetherevocationprocess.
Althoughtheinitialactionsalreadypreventfurtheraccess,thisstepprovidesadditional
assuranceintheaccessrevocationprocess.
Referencetopriorversion:(Part5.5)CIP0074,R5.2.3
ChangeRationale:(Part5.5)
Toprovideclarificationofexpectedactionsinmanagingthepasswords.
GuidelinesandTechnicalBasis
Page52of52
Version History
Version Date Action ChangeTracking
1 1/16/06 R3.2ChangeControlCenterto
controlcenter.
3/24/06
2 9/30/09
Modificationstoclarifythe
requirementsandtobringthe
complianceelementsintoconformance
withthelatestguidelinesfordeveloping
complianceelementsofstandards.
Removalofreasonablebusiness
judgment.
ReplacedtheRROwiththeREasa
responsibleentity.
RewordingofEffectiveDate.
Changedcompliancemonitorto
ComplianceEnforcementAuthority.
3 12/16/09 Updatedversionnumberfrom2to3
ApprovedbytheNERCBoardof
Trustees.
3 3/31/10 ApprovedbyFERC.
4 12/30/10 Modifiedtoaddspecificcriteriafor
CriticalAssetidentification.
Update
4 1/24/11 ApprovedbytheNERCBoardof
Trustees.
Update
5 11/26/12 AdoptedbytheNERCBoardof
Trustees.
Modifiedto
coordinatewith
otherCIP
standardsandto
reviseformatto
useRBS
Template.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page6of19
B. Requirements and Measures
R1. EachResponsibleEntityshallimplementoneormoredocumentedprocessesthatcollectivelyincludeeachofthe
applicablerequirementpartsinCIP0055TableR1ElectronicSecurityPerimeter.[ViolationRiskFactor:Medium][Time
Horizon:OperationsPlanningandSameDayOperations].
M1. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0055TableR1ElectronicSecurityPerimeterandadditionalevidencetodemonstrate
implementationasdescribedintheMeasurescolumnofthetable.
CIP0055TableR1ElectronicSecurityPerimeter
Part ApplicableSystems Requirements Measures
1.1 HighImpactBESCyberSystemsand
theirassociated:
PCA
MediumImpactBESCyberSystems
andtheirassociated:
PCA
AllapplicableCyberAssetsconnected
toanetworkviaaroutableprotocol
shallresidewithinadefinedESP.
Anexampleofevidencemayinclude,
butisnotlimitedto,alistofallESPs
withalluniquelyidentifiable
applicableCyberAssetsconnected
viaaroutableprotocolwithineach
ESP.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page7of19
CIP0055TableR1ElectronicSecurityPerimeter
Part ApplicableSystems Requirements Measures
1.2 HighImpactBESCyberSystemswith
ExternalRoutableConnectivityand
theirassociated:
PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
PCA
AllExternalRoutableConnectivity
mustbethroughanidentified
ElectronicAccessPoint(EAP).
Anexampleofevidencemayinclude,
butisnotlimitedto,network
diagramsshowingallexternal
routablecommunicationpathsand
theidentifiedEAPs.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page8of19
CIP0055TableR1ElectronicSecurityPerimeter
Part ApplicableSystems Requirements Measures
1.3 ElectronicAccessPointsforHigh
ImpactBESCyberSystems
ElectronicAccessPointsforMedium
ImpactBESCyberSystems
Requireinboundandoutbound
accesspermissions,includingthe
reasonforgrantingaccess,anddeny
allotheraccessbydefault.
Anexampleofevidencemayinclude,
butisnotlimitedto,alistofrules
(firewall,accesscontrollists,etc.)
thatdemonstratethatonlypermitted
accessisallowedandthateach
accessrulehasadocumented
reason.
1.4 HighImpactBESCyberSystemswith
DialupConnectivityandtheir
associated:
PCA
MediumImpactBESCyberSystems
withDialupConnectivityandtheir
associated:
PCA
Wheretechnicallyfeasible,perform
authenticationwhenestablishing
DialupConnectivitywithapplicable
CyberAssets.
Anexampleofevidencemayinclude,
butisnotlimitedto,adocumented
processthatdescribeshowthe
ResponsibleEntityisproviding
authenticatedaccessthrougheach
dialupconnection.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page9of19
CIP0055TableR1ElectronicSecurityPerimeter
Part ApplicableSystems Requirements Measures
1.5 ElectronicAccessPointsforHigh
ImpactBESCyberSystems
ElectronicAccessPointsforMedium
ImpactBESCyberSystemsatControl
Centers
Haveoneormoremethodsfor
detectingknownorsuspected
maliciouscommunicationsforboth
inboundandoutbound
communications.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
thatmaliciouscommunications
detectionmethods(e.g.intrusion
detectionsystem,applicationlayer
firewall,etc.)areimplemented.
R2. EachResponsibleEntityallowingInteractiveRemoteAccesstoBESCyberSystemsshallimplementoneormore
documentedprocessesthatcollectivelyincludetheapplicablerequirementparts,wheretechnicallyfeasible,inCIP0055
TableR2InteractiveRemoteAccessManagement.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning
andSameDayOperations].
M2. EvidencemustincludethedocumentedprocessesthatcollectivelyaddresseachoftheapplicablerequirementpartsinCIP
0055TableR2InteractiveRemoteAccessManagementandadditionalevidencetodemonstrateimplementationas
describedintheMeasurescolumnofthetable.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page10of19
CIP0055TableR2InteractiveRemoteAccessManagement
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystemsand
theirassociated:
PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
PCA
UtilizeanIntermediateSystemsuch
thattheCyberAssetinitiating
InteractiveRemoteAccessdoesnot
directlyaccessanapplicableCyber
Asset.
Examplesofevidencemayinclude,but
arenotlimitedto,networkdiagramsor
architecturedocuments.
2.2 HighImpactBESCyberSystemsand
theirassociated:
PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
PCA
ForallInteractiveRemoteAccess
sessions,utilizeencryptionthat
terminatesatanIntermediateSystem.
Anexampleofevidencemayinclude,
butisnotlimitedto,architecture
documentsdetailingwhereencryption
initiatesandterminates.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page11of19
CIP0055TableR2InteractiveRemoteAccessManagement
Part ApplicableSystems Requirements Measures
2.3 HighImpactBESCyberSystemsand
theirassociated:
PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
PCA
Requiremultifactorauthenticationfor
allInteractiveRemoteAccesssessions.
Anexampleofevidencemayinclude,
butisnotlimitedto,architecture
documentsdetailingtheauthentication
factorsused.
Examplesofauthenticatorsmay
include,butarenotlimitedto,
Somethingtheindividualknows
suchaspasswordsorPINs.This
doesnotincludeUserID;
Somethingtheindividualhas
suchastokens,digital
certificates,orsmartcards;or
Somethingtheindividualissuch
asfingerprints,irisscans,or
otherbiometriccharacteristics.
CIP0055CyberSecurityElectronicSecurityPerimeter(s)
Page12of19
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)
unlesstheapplicableentityisowned,operated,orcontrolledbytheRegional
Entity.InsuchcasestheEROoraRegionalEntityapprovedbyFERCorother
applicablegovernmentalauthorityshallserveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityis
requiredtoretainspecificevidencetodemonstratecompliance.Forinstances
wheretheevidenceretentionperiodspecifiedbelowisshorterthanthetime
sincethelastaudit,theCEAmayaskanentitytoprovideotherevidencetoshow
thatitwascompliantforthefulltimeperiodsincethelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceas
identifiedbelowunlessdirectedbyitsCEAtoretainspecificevidencefora
longerperiodoftimeaspartofaninvestigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthis
standardforthreecalendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformation
relatedtothenoncomplianceuntilmitigationiscompleteandapprovedor
forthetimespecifiedabove,whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmitted
subsequentauditrecords.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
GuidelinesandTechnicalBasis
Page13of19
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
CIP0055,RequirementR1requiressegmentingofBESCyberSystemsfromothersystemsof
differingtrustlevelsbyrequiringcontrolledElectronicAccessPointsbetweenthedifferenttrust
zones.ElectronicSecurityPerimetersarealsousedasaprimarydefenselayerforsomeBES
CyberSystemsthatmaynotinherentlyhavesufficientcybersecurityfunctionality,suchas
devicesthatlackauthenticationcapability.
GuidelinesandTechnicalBasis
Page14of19
AllapplicableBESCyberSystemsthatareconnectedtoanetworkviaaroutableprotocolmust
haveadefinedElectronicSecurityPerimeter(ESP).Evenstandalonenetworksthathaveno
externalconnectivitytoothernetworksmusthaveadefinedESP.TheESPdefinesazoneof
protectionaroundtheBESCyberSystem,anditalsoprovidesclarityforentitiestodetermine
whatsystemsorCyberAssetsareinscopeandwhatrequirementstheymustmeet.TheESPis
usedin:
DefiningthescopeofAssociatedProtectedCyberAssetsthatmustalsomeetcertain
CIPrequirements.
DefiningtheboundaryinwhichalloftheCyberAssetsmustmeettherequirementsof
thehighestimpactBESCyberSystemthatisinthezone(thehighwatermark).
TheCIPCyberSecurityStandardsdonotrequirenetworksegmentationofBESCyberSystems
byimpactclassification.ManydifferentimpactclassificationscanbemixedwithinanESP.
However,alloftheCyberAssetsandBESCyberSystemswithintheESPmustbeprotectedat
thelevelofthehighestimpactBESCyberSystempresentintheESP(i.e.,thehighwater
mark)wherethetermProtectedCyberAssetsisused.TheCIPCyberSecurityStandards
accomplishthehighwatermarkbyassociatingallotherCyberAssetswithintheESP,even
otherBESCyberSystemsoflesserimpact,asProtectedCyberAssetsofthehighestimpact
systemintheESP.
Forexample,ifanESPcontainsbothahighimpactBESCyberSystemandalowimpactBES
CyberSystem,eachCyberAssetofthelowimpactBESCyberSystemisanAssociated
ProtectedCyberAssetofthehighimpactBESCyberSystemandmustmeetallrequirements
withthatdesignationintheapplicabilitycolumnsoftherequirementtables.
IfthereisroutableconnectivityacrosstheESPintoanyCyberAsset,thenanElectronicAccess
Point(EAP)mustcontroltrafficintoandoutoftheESP.ResponsibleEntitiesshouldknowwhat
trafficneedstocrossanEAPanddocumentthosereasonstoensuretheEAPslimitthetrafficto
onlythoseknowncommunicationneeds.Theseinclude,butarenotlimitedto,
communicationsneededfornormaloperations,emergencyoperations,support,maintenance,
andtroubleshooting.
TheEAPshouldcontrolbothinboundandoutboundtraffic.Thestandardaddedoutbound
trafficcontrol,asitisaprimeindicatorofcompromiseandafirstlevelofdefenseagainstzero
dayvulnerabilitybasedattacks.IfCyberAssetswithintheESPbecomecompromisedand
attempttocommunicatetounknownhostsoutsidetheESP(usuallycommandandcontrol
hostsontheInternet,orcompromisedjumphostswithintheResponsibleEntitysother
networksactingasintermediaries),theEAPsshouldfunctionasafirstlevelofdefensein
stoppingtheexploit.ThisdoesnotlimittheResponsibleEntityfromcontrollingoutbound
trafficatthelevelofgranularitythatitdeemsappropriate,andlargerangesofinternal
addressesmaybeallowed.TheSDTsintentisthattheResponsibleEntityknowswhatother
CyberAssetsorrangesofaddressesaBESCyberSystemneedstocommunicatewithandlimits
thecommunicationstothatknownrange.Forexample,mostBESCyberSystemswithina
ResponsibleEntityshouldnothavetheabilitytocommunicatethroughanEAPtoanynetwork
addressintheworld,butshouldprobablybeatleastlimitedtotheaddressspaceofthe
GuidelinesandTechnicalBasis
Page15of19
ResponsibleEntity,andpreferablytoindividualsubnetrangesorindividualhostswithinthe
ResponsibleEntitysaddressspace. TheSDTsintentisnotforResponsibleEntitiestodocument
theinnerworkingsofstatefulfirewalls,whereconnectionsinitiatedinonedirectionare
allowedareturnpath.Theintentistoknowanddocumentwhatsystemscantalktowhat
othersystemsorrangesofsystemsontheothersideoftheEAP,suchthatrogueconnections
canbedetectedandblocked.
Thisrequirementappliesonlytocommunicationsforwhichaccesslistsanddenybydefault
typerequirementscanbeuniversallyapplied,whichtodayarethosethatemployroutable
protocols.Directserial,nonroutableconnectionsarenotincludedasthereisnoperimeteror
firewalltypesecuritythatshouldbeuniversallymandatedacrossallentitiesandallserial
communicationsituations.ThereisnofirewallorperimetercapabilityforanRS232cablerun
betweentwoCyberAssets.Withoutaclearperimetertypesecuritycontrolthatcanbe
appliedinpracticallyeverycircumstance,sucharequirementwouldmostlygeneratetechnical
feasibilityexceptions(TFEs)ratherthanincreasedsecurity.
Asfordialupconnectivity,theStandardDraftingTeamsintentofthisrequirementisto
preventsituationswhereonlyaphonenumbercanestablishdirectconnectivitytotheBES
CyberAsset.Ifadialupmodemisimplementedinsuchawaythatitsimplyanswersthephone
andconnectsthelinetotheBESCyberAssetwithnoauthenticationofthecallingparty,itisa
vulnerabilitytotheBESCyberSystem.Therequirementcallsforsomeformofauthentication
ofthecallingpartybeforecompletingtheconnectiontotheBESCyberSystem.Someexamples
ofacceptablemethodsincludedialbackmodems,modemsthatmustberemotelyenabledor
poweredup,andmodemsthatareonlypoweredonbyonsitepersonnelwhenneededalong
withpolicythatstatestheyaredisabledafteruse.Ifthedialupconnectivityisusedfor
InteractiveRemoteAccess,thenRequirementR2alsoapplies.
ThestandardaddsarequirementtodetectmaliciouscommunicationsforControlCenters.This
isinresponsetoFERCOrderNo.706,Paragraphs496503,whereESPsarerequiredtohavetwo
distinctsecuritymeasuressuchthattheBESCyberSystemsdonotloseallperimeterprotection
ifonemeasurefailsorismisconfigured.TheOrdermakesclearthatthisisnotsimply
redundancyoffirewalls,thustheSDThasdecidedtoaddthesecuritymeasureofmalicious
trafficinspectionasarequirementfortheseESPs.Technologiesmeetingthisrequirement
includeIntrusionDetectionorIntrusionPreventionSystems(IDS/IPS)orotherformsofdeep
packetinspection.Thesetechnologiesgobeyondsource/destination/portrulesetsandthus
provideanotherdistinctsecuritymeasureattheESP.
RequirementR2:
SeeSecureRemoteAccessReferenceDocument(seeremoteaccessalert).
GuidelinesandTechnicalBasis
Page16of19
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
TheElectronicSecurityPerimeter(ESP)servestocontroltrafficattheexternalelectronic
boundaryoftheBESCyberSystem.Itprovidesafirstlayerofdefensefornetworkbased
attacksasitlimitsreconnaissanceoftargets,restrictsandprohibitstraffictoaspecifiedrule
set,andassistsincontaininganysuccessfulattacks.
SummaryofChanges:CIP005,RequirementR1hastakenmoreofafocusonthediscrete
ElectronicAccessPoints,ratherthanthelogicalperimeter.
CIP005(V1throughV4),RequirementR1.2hasbeendeletedfromV5.Thisrequirementwas
definitionalinnatureandusedtobringdialupmodemsusingnonroutableprotocolsintothe
scopeofCIP005.ThenonroutableprotocolexclusionnolongerexistsasablanketCIP002
filterforapplicabilityinV5,thereforethereisnoneedforthisrequirement.
CIP005(V1throughV4),RequirementR1.1andR1.3werealsodefinitionalinnatureandhave
beendeletedfromV5asseparaterequirementsbuttheconceptswereintegratedintothe
definitionsofESPandElectronicAccessPoint(EAP).
Referencetopriorversion:(Part1.1)CIP0054,R1
ChangeRationale:(Part1.1)
ExplicitlyclarifiesthatBESCyberAssetsconnectedviaroutableprotocolmustbeinanElectronic
SecurityPerimeter.
Referencetopriorversion:(Part1.2)CIP0054,R1
ChangeRationale:(Part1.2)
ChangedtorefertothedefinedtermElectronicAccessPointandBESCyberSystem.
Referencetopriorversion:(Part1.3)CIP0054,R2.1
ChangeRationale:(Part1.3)
ChangedtorefertothedefinedtermElectronicAccessPointandtofocusontheentityknowing
andhavingareasonforwhatitallowsthroughtheEAPinbothinboundandoutbound
directions.
Referencetopriorversion:(Part1.4)CIP0054,R2.3
ChangeRationale:(Part1.4)
AddedclarificationthatdialupconnectivityshouldperformauthenticationsothattheBES
CyberSystemisnotdirectlyaccessiblewithaphonenumberonly.
GuidelinesandTechnicalBasis
Page17of19
Referencetopriorversion:(Part1.5)CIP0054,R1
ChangeRationale:(Part1.5)
PerFERCOrderNo.706,Paragraphs496503,ESPsneedtwodistinctsecuritymeasuressuch
thattheCyberAssetsdonotloseallperimeterprotectionifonemeasurefailsoris
misconfigured.TheOrdermakesclearthisisnotsimpleredundancyoffirewalls,thustheSDT
hasdecidedtoaddthesecuritymeasureofmalicioustrafficinspectionasarequirementfor
theseESPs.
RationaleforR2:
RegisteredEntitiesuseInteractiveRemoteAccesstoaccessCyberAssetstosupportand
maintaincontrolsystemsnetworks.Discoveryandannouncementofvulnerabilitiesforremote
accessmethodsandtechnologies,thatwerepreviouslythoughtsecureandinusebyanumber
ofelectricsectorentities,necessitatechangestoindustrysecuritycontrolstandards.Currently,
norequirementsareineffectformanagementofsecureremoteaccesstoCyberAssetstobe
affordedtheNERCCIPprotectivemeasures.Inadequatesafeguardsforremoteaccesscan
allowunauthorizedaccesstotheorganizationsnetwork,withpotentiallyserious
consequences.AdditionalinformationisprovidedinGuidanceforSecureInteractiveRemote
AccesspublishedbyNERCinJuly2011.
Remoteaccesscontrolproceduresmustprovideadequatesafeguardsthroughrobust
identification,authenticationandencryptiontechniques.Remoteaccesstotheorganizations
networkandresourceswillonlybepermittedprovidingthatauthorizedusersare
authenticated,dataisencryptedacrossthenetwork,andprivilegesarerestricted.
TheIntermediateSystemservesasaproxyfortheremoteuser.Ratherthanallowingallthe
protocolstheusermightneedtoaccessCyberAssetsinsidetheElectronicSecurityPerimeterto
traversefromtheElectronicSecurityPerimetertotheremotecomputer,onlytheprotocol
requiredforremotelycontrollingthejumphostisrequired.Thisallowsthefirewallrulestobe
muchmorerestrictivethaniftheremotecomputerwasallowedtoconnecttoCyberAssets
withintheElectronicSecurityPerimeterdirectly.TheuseofanIntermediateSystemalso
protectstheCyberAssetfromvulnerabilitiesontheremotecomputer.
Theuseofmultifactorauthenticationprovidesanaddedlayerofsecurity.Passwordscanbe
guessed,stolen,hijacked,found,orgivenaway.Theyaresubjecttoautomatedattacks
includingbruteforceattacks,inwhichpossiblepasswordsaretrieduntilthepasswordisfound,
ordictionaryattacks,wherewordsandwordcombinationsaretestedaspossiblepasswords.
ButifapasswordorPINmustbesuppliedalongwithaonetimepasswordsuppliedbyatoken,
afingerprint,orsomeotherfactor,thepasswordisofnovalueunlesstheotherfactor(s)used
forauthenticationareacquiredalongwithit.
GuidelinesandTechnicalBasis
Page18of19
Encryptionisusedtoprotectthedatathatissentbetweentheremotecomputerandthe
IntermediateSystem.Dataencryptionisimportantforanyonewhowantsorneedssecuredata
transfer.Encryptionisneededwhenthereisariskofunauthorizedinterceptionof
transmissionsonthecommunicationslink.ThisisespeciallyimportantwhenusingtheInternet
asthecommunicationmeans.
SummaryofChanges:ThisisanewrequirementtocontinuetheeffortsoftheUrgentAction
teamforProject201015:ExpeditedRevisionstoCIP0053.
Referencetopriorversion:(Part2.1)New
ChangeRationale:(Part2.1)
ThisisanewrequirementtocontinuetheeffortsoftheUrgentActionteamforProject201015:
ExpeditedRevisionstoCIP0053.
Referencetopriorversion:(Part2.2)CIP0075,R3.1
ChangeRationale:(Part2.2)
ThisisanewrequirementtocontinuetheeffortsoftheUrgentActionteamforProject201015:
ExpeditedRevisionstoCIP0053.Thepurposeofthispartistoprotecttheconfidentialityand
integrityofeachInteractiveRemoteAccesssession.
Referencetopriorversion:(Part2.3)CIP0075,R3.2
ChangeRationale:(Part2.3)
ThisisanewrequirementtocontinuetheeffortsoftheUrgentActionteamforProject201015:
ExpeditedRevisionstoCIP0053.Themultifactorauthenticationmethodsarealsothesameas
thoseidentifiedintheHomelandSecurityPresidentialDirective12(HSPD12),issuedAugust12,
2007.
GuidelinesandTechnicalBasis
Page19of19
Version History
Version Date Action ChangeTracking
1 1/16/06
R3.2ChangeControlCenterto
controlcenter.
3/24/06
2 9/30/09 Modificationstoclarifythe
requirementsandtobringthe
complianceelementsintoconformance
withthelatestguidelinesfordeveloping
complianceelementsofstandards.
Removalofreasonablebusiness
judgment.
ReplacedtheRROwiththeREasa
responsibleentity.
RewordingofEffectiveDate.
Changedcompliancemonitorto
ComplianceEnforcementAuthority.
3 12/16/09 Updatedversionnumberfrom2to3
ApprovedbytheNERCBoardof
Trustees.
3 3/31/10 ApprovedbyFERC.
4 12/30/10 Modifiedtoaddspecificcriteriafor
CriticalAssetidentification.
Update
4 1/24/11 ApprovedbytheNERCBoardof
Trustees.
Update
5 11/26/12 AdoptedbytheNERCBoardof
Trustees.
Modifiedto
coordinatewith
otherCIP
standardsandto
reviseformatto
useRBS
Template.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page6of24
B. Requirements and Measures
R1. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedphysicalsecurityplansthatcollectivelyincludealloftheapplicablerequirementpartsinCIP0065TableR1
PhysicalSecurityPlan.[ViolationRiskFactor:Medium][TimeHorizon:LongTermPlanningandSameDayOperations].
M1. Evidencemustincludeeachofthedocumentedphysicalsecurityplansthatcollectivelyincludealloftheapplicable
requirementpartsinCIP0065TableR1PhysicalSecurityPlanandadditionalevidencetodemonstrateimplementation
oftheplanorplansasdescribedintheMeasurescolumnofthetable.
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.1 MediumImpactBESCyberSystems
withoutExternalRoutableConnectivity
PhysicalAccessControlSystems(PACS)
associatedwith:
HighImpactBESCyberSystems,
or
MediumImpactBESCyber
SystemswithExternalRoutable
Connectivity
Defineoperationalorprocedural
controlstorestrictphysicalaccess.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
thatoperationalorproceduralcontrols
exist.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page7of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.2 MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Utilizeatleastonephysicalaccess
controltoallowunescortedphysical
accessintoeachapplicablePhysical
SecurityPerimetertoonlythose
individualswhohaveauthorized
unescortedphysicalaccess.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageinthe
physicalsecurityplanthatdescribes
eachPhysicalSecurityPerimeterand
howunescortedphysicalaccessis
controlledbyoneormoredifferent
methodsandproofthatunescorted
physicalaccessisrestrictedtoonly
authorizedindividuals,suchasalistof
authorizedindividualsaccompaniedby
accesslogs.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page8of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
Wheretechnicallyfeasible,utilizetwo
ormoredifferentphysicalaccess
controls(thisdoesnotrequiretwo
completelyindependentphysical
accesscontrolsystems)tocollectively
allowunescortedphysicalaccessinto
PhysicalSecurityPerimeterstoonly
thoseindividualswhohaveauthorized
unescortedphysicalaccess.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageinthe
physicalsecurityplanthatdescribes
thePhysicalSecurityPerimetersand
howunescortedphysicalaccessis
controlledbytwoormoredifferent
methodsandproofthatunescorted
physicalaccessisrestrictedtoonly
authorizedindividuals,suchasalistof
authorizedindividualsaccompaniedby
accesslogs.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page9of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.4 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Monitorforunauthorizedaccess
throughaphysicalaccesspointintoa
PhysicalSecurityPerimeter.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentationof
controlsthatmonitorforunauthorized
accessthroughaphysicalaccesspoint
intoaPhysicalSecurityPerimeter.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page10of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.5 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Issueanalarmoralertinresponseto
detectedunauthorizedaccessthrough
aphysicalaccesspointintoaPhysical
SecurityPerimetertothepersonnel
identifiedintheBESCyberSecurity
Incidentresponseplanwithin15
minutesofdetection.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageinthe
physicalsecurityplanthatdescribes
theissuanceofanalarmoralertin
responsetounauthorizedaccess
throughaphysicalaccesscontrolinto
aPhysicalSecurityPerimeterand
additionalevidencethatthealarmor
alertwasissuedandcommunicatedas
identifiedintheBESCyberSecurity
IncidentResponsePlan,suchas
manualorelectronicalarmoralert
logs,cellphoneorpagerlogs,orother
evidencethatdocumentsthatthe
alarmoralertwasgeneratedand
communicated.
1.6 PhysicalAccessControlSystems(PACS)
associatedwith:
HighImpactBESCyber
Systems,or
MediumImpactBESCyber
SystemswithExternalRoutable
Connectivity
MonitoreachPhysicalAccessControl
Systemforunauthorizedphysical
accesstoaPhysicalAccessControl
System.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentationof
controlsthatmonitorforunauthorized
physicalaccesstoaPACS.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page11of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.7 PhysicalAccessControlSystems(PACS)
associatedwith:
HighImpactBESCyber
Systems,or
MediumImpactBESCyber
SystemswithExternalRoutable
Connectivity
Issueanalarmoralertinresponseto
detectedunauthorizedphysicalaccess
toaPhysicalAccessControlSystemto
thepersonnelidentifiedintheBES
CyberSecurityIncidentresponseplan
within15minutesofthedetection.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageinthe
physicalsecurityplanthatdescribes
theissuanceofanalarmoralertin
responsetounauthorizedphysical
accesstoPhysicalAccessControl
Systemsandadditionalevidencethat
thealarmoralertswasissuedand
communicatedasidentifiedintheBES
CyberSecurityIncidentResponsePlan,
suchasalarmoralertlogs,cellphone
orpagerlogs,orotherevidencethat
thealarmoralertwasgeneratedand
communicated.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page12of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.8 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Log(throughautomatedmeansorby
personnelwhocontrolentry)entryof
eachindividualwithauthorized
unescortedphysicalaccessintoeach
PhysicalSecurityPerimeter,with
informationtoidentifytheindividual
anddateandtimeofentry.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageinthe
physicalsecurityplanthatdescribes
loggingandrecordingofphysicalentry
intoeachPhysicalSecurityPerimeter
andadditionalevidenceto
demonstratethatthislogginghas
beenimplemented,suchaslogsof
physicalaccessintoPhysicalSecurity
Perimetersthatshowtheindividual
andthedateandtimeofentryinto
PhysicalSecurityPerimeter.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page13of24
CIP0065TableR1PhysicalSecurityPlan
Part ApplicableSystems Requirements Measures
1.9 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Retainphysicalaccesslogsofentryof
individualswithauthorizedunescorted
physicalaccessintoeachPhysical
SecurityPerimeterforatleastninety
calendardays.
Anexampleofevidencemayinclude,
butisnotlimitedto,dated
documentationsuchaslogsofphysical
accessintoPhysicalSecurity
Perimetersthatshowthedateand
timeofentryintoPhysicalSecurity
Perimeter.
R2. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedvisitorcontrolprogramsthatincludeeachoftheapplicablerequirementpartsinCIP0065TableR2Visitor
ControlProgram.[ViolationRiskFactor:Medium][TimeHorizon:SameDayOperations.]
M2. Evidencemustincludeoneormoredocumentedvisitorcontrolprogramsthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0065TableR2VisitorControlProgramandadditionalevidencetodemonstrateimplementationas
describedintheMeasurescolumnofthetable.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page14of24
CIP0065TableR2VisitorControlProgram
Part
ApplicableSystems Requirements Measures
2.1
HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Requirecontinuousescortedaccessof
visitors(individualswhoareprovided
accessbutarenotauthorizedfor
unescortedphysicalaccess)within
eachPhysicalSecurityPerimeter,
exceptduringCIPExceptional
Circumstances.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageina
visitorcontrolprogramthatrequires
continuousescortedaccessofvisitors
withinPhysicalSecurityPerimetersand
additionalevidencetodemonstrate
thattheprocesswasimplemented,
suchasvisitorlogs.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page15of24
CIP-006-5 Table R2 Visitor Control Program
Part
ApplicableSystems
Requirements Measures
2.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Requiremanualorautomatedlogging
ofvisitorentryintoandexitfromthe
PhysicalSecurityPerimeterthat
includesdateandtimeoftheinitial
entryandlastexit,thevisitorsname,
andthenameofanindividualpointof
contactresponsibleforthevisitor,
exceptduringCIPExceptional
Circumstances.
Anexampleofevidencemayinclude,
butisnotlimitedto,languageina
visitorcontrolprogramthatrequires
continuousescortedaccessofvisitors
withinPhysicalSecurityPerimetersand
additionalevidencetodemonstrate
thattheprocesswasimplemented,
suchasdatedvisitorlogsthatinclude
therequiredinformation.
2.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;and
2. PCA
Retainvisitorlogsforatleastninety
calendardays.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
showinglogshavebeenretainedforat
leastninetycalendardays.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page16of24
R3. EachResponsibleEntityshallimplementoneormoredocumentedPhysicalAccessControlSystemmaintenanceandtesting
programsthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0065TableR3MaintenanceandTesting
Program.[ViolationRiskFactor:Lower][TimeHorizon:LongTermPlanning].
M3. EvidencemustincludeeachofthedocumentedPhysicalAccessControlSystemmaintenanceandtestingprogramsthat
collectivelyincludeeachoftheapplicablerequirementpartsinCIP0065TableR3MaintenanceandTestingProgramand
additionalevidencetodemonstrateimplementationasdescribedintheMeasurescolumnofthetable.
CIP0065TableR3PhysicalAccessControlSystemMaintenanceandTestingProgram
Part ApplicableSystems Requirement Measures
3.1 PhysicalAccessControlSystems(PACS)
associatedwith:
HighImpactBESCyberSystems,or
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
Locallymountedhardwareordevices
atthePhysicalSecurityPerimeter
associatedwith:
HighImpactBESCyberSystems,or
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
Maintenanceandtestingofeach
PhysicalAccessControlSystemand
locallymountedhardwareordevicesat
thePhysicalSecurityPerimeteratleast
onceevery24calendarmonthsto
ensuretheyfunctionproperly.
Anexampleofevidencemayinclude,
butisnotlimitedto,amaintenance
andtestingprogramthatprovidesfor
testingeachPhysicalAccessControl
Systemandlocallymountedhardware
ordevicesassociatedwitheach
applicablePhysicalSecurityPerimeter
atleastonceevery24calendarmonths
andadditionalevidenceto
demonstratethatthistestingwas
done,suchasdatedmaintenance
records,orotherdocumentation
showingtestingandmaintenancehas
beenperformedoneachapplicable
deviceorsystematleastonceevery24
calendarmonths.
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page17of24
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)
unlesstheapplicableentityisowned,operated,orcontrolledbytheRegional
Entity.InsuchcasestheEROoraRegionalEntityapprovedbyFERCorother
applicablegovernmentalauthorityshallserveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityis
requiredtoretainspecificevidencetodemonstratecompliance.Forinstances
wheretheevidenceretentionperiodspecifiedbelowisshorterthanthetime
sincethelastaudit,theCEAmayaskanentitytoprovideotherevidencetoshow
thatitwascompliantforthefulltimeperiodsincethelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceas
identifiedbelowunlessdirectedbyitsCEAtoretainspecificevidencefora
longerperiodoftimeaspartofaninvestigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthis
standardforthreecalendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformation
relatedtothenoncomplianceuntilmitigationiscompleteandapprovedor
forthetimespecifiedabove,whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmitted
subsequentauditrecords.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0065CyberSecurityPhysicalSecurityofBESCyberSystems
Page18of24
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
GuidelinesandTechnicalBasis
Page19of24
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
General:
Whilethefocusisshiftedfromthedefinitionandmanagementofacompletelyenclosedsix
wallboundary,itisexpectedinmanyinstancesthiswillremainaprimarymechanismfor
controlling,alerting,andloggingaccesstoBESCyberSystems.Takentogether,thesecontrols
willeffectivelyconstitutethephysicalsecurityplantomanagephysicalaccesstoBESCyber
Systems.
RequirementR1:
Methodsofphysicalaccesscontrolinclude:
CardKey:Ameansofelectronicaccesswheretheaccessrightsofthecardholderare
predefinedinacomputerdatabase.Accessrightsmaydifferfromoneperimeterto
another.
SpecialLocks:Theseinclude,butarenotlimitedto,lockswithrestrictedkeysystems,
magneticlocksthatcanbeoperatedremotely,andmantrapsystems.
SecurityPersonnel:Personnelresponsibleforcontrollingphysicalaccesswhomayreside
onsiteoratamonitoringstation.
GuidelinesandTechnicalBasis
Page20of24
OtherAuthenticationDevices:Biometric,keypad,token,orotherequivalentdevicesthat
controlphysicalaccessintothePhysicalSecurityPerimeter.
Methodstomonitorphysicalaccessinclude:
AlarmSystems:Systemsthatalarmtoindicateinteriormotionorwhenadoor,gate,or
windowhasbeenopenedwithoutauthorization.Thesealarmsmustprovidefor
notificationwithin15minutestoindividualsresponsibleforresponse.
HumanObservationofAccessPoints:Monitoringofphysicalaccesspointsbysecurity
personnelwhoarealsocontrollingphysicalaccess.
Methodstologphysicalaccessinclude:
ComputerizedLogging:ElectroniclogsproducedbytheResponsibleEntitysselectedaccess
controlandalertingmethod.
VideoRecording:Electroniccaptureofvideoimagesofsufficientqualitytodetermine
identity.
ManualLogging:Alogbookorsigninsheet,orotherrecordofphysicalaccessmaintained
bysecurityorotherpersonnelauthorizedtocontrolandmonitorphysicalaccess.
TheFERCOrderNo.706,Paragraph572,directivediscussedutilizingtwoormoredifferentand
complementaryphysicalaccesscontrolstoprovidedefenseindepth.Itdoesnotrequiretwoor
morePhysicalSecurityPerimeters,nordoesitexcludetheuseoflayeredperimeters.Useof
twofactorauthenticationwouldbeacceptableatthesameentrypointsforanonlayered
singleperimeter.Forexample,asoleperimeterscontrolscouldincludeeitheracombination
ofcardkeyandpincode(somethingyouknowandsomethingyouhave),oracardkeyand
biometricscanner(somethingyouhaveandsomethingyouare),oraphysicalkeyin
combinationwithaguardmonitoredremotecameraanddoorrelease,wheretheguardhas
adequateinformationtoauthenticatethepersontheyareobservingortalkingtopriorto
permittingaccess(somethingyouhaveandsomethingyouare).Thetwofactorauthentication
couldbeimplementedusingasinglePhysicalAccessControlSystembutmorethanone
authenticationmethodmustbeutilized.Forphysicallylayeredprotection,alockedgatein
combinationwithalockedcontrolbuildingcouldbeacceptable,providednosingle
authenticator(e.g.,keyorcardkey)wouldprovideaccessthroughboth.
EntitiesmaychooseforcertainPACStoresideinaPSPcontrollingaccesstoapplicableBES
CyberSystems.ForthesePACS,thereisnoadditionalobligationtocomplywithRequirement
Parts1.1,1.7and1.8beyondwhatisalreadyrequiredforthePSP.
RequirementR2:
Theloggingofvisitorsshouldcaptureeachvisitoftheindividualanddoesnotneedtocapture
eachentryorexitduringthatvisit.Thisismeanttoallowavisitortotemporarilyexitthe
PhysicalSecurityPerimetertoobtainsomethingtheyleftintheirvehicleoroutsidethearea
withoutrequiringanewlogentryforeachandeveryentryduringthevisit.
GuidelinesandTechnicalBasis
Page21of24
TheSDTalsodeterminedthatapointofcontactshouldbedocumentedwhocanprovide
additionaldetailsaboutthevisitifquestionsariseinthefuture.Thepointofcontactcouldbe
theescort,butthereisnoneedtodocumenteveryonethatactedasanescortforthevisitor.
RequirementR3:
Thisincludesthetestingoflocallymountedhardwareordevicesusedincontrolling,alertingor
loggingaccesstothePhysicalSecurityPerimeter.Thisincludesmotionsensors,electroniclock
controlmechanisms,andbadgereaderswhicharenotdeemedtobepartofthePhysicalAccess
ControlSystembutarerequiredfortheprotectionoftheBESCyberSystems.
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
EachResponsibleEntityshallensurethatphysicalaccesstoallBESCyberSystemsisrestricted
andappropriatelymanaged.EntitiesmaychooseforcertainPACStoresideinaPSPcontrolling
accesstoapplicableBESCyberSystems.ForthesePACS,thereisnoadditionalobligationto
complywithRequirementParts1.1,1.7and1.8beyondwhatisalreadyrequiredforthePSP.
SummaryofChanges:TheentirecontentofCIP0065isintendedtoconstituteaphysical
securityprogram.Thisrepresentsachangefrompreviousversions,sincetherewasnospecific
requirementtohaveaphysicalsecurityprograminpreviousversionsofthestandards,only
requirementsforphysicalsecurityplans.
AddeddetailstoaddressFERCOrderNo.706,Paragraph572,directivesforphysicalsecurity
defenseindepth.
Additionalguidanceonphysicalsecuritydefenseindepthprovidedtoaddressthedirectivein
FERCOrderNo.706,Paragraph575.
Referencetopriorversion:(Part1.1)CIP0064c,R2.1forPhysicalAccessControlSystems
NewRequirementforMediumImpactBESCyberSystemsnothavingExternalRoutable
Connectivity
ChangeRationale:(Part1.1)
Toallowforprogrammaticprotectioncontrolsasabaseline(whichalsoincludeshowtheentity
planstoprotectMediumImpactBESCyberSystemsthatdonothaveExternalRoutable
ConnectivitynototherwisecoveredunderPart1.2,anditdoesnotrequireadetailedlistof
individualswithaccess).PhysicalAccessControlSystemsdonotthemselvesneedtobe
protectedatthesamelevelasrequiredinParts1.2through1.5.
Referencetopriorversion:(Part1.2)CIP0064c,R3&R4
ChangeRationale:(Part1.2)
GuidelinesandTechnicalBasis
Page22of24
Thisrequirementhasbeenmademoregeneraltoallowforalternatemeasuresofrestricting
physicalaccess.SpecificexamplesofmethodsaResponsibleEntitycantaketorestrictingaccess
toBESCyberSystemshasbeenmovedtotheGuidelinesandTechnicalBasissection.
Referencetopriorversion:(Part1.3)CIP0064c,R3&R4
ChangeRationale:(Part1.3)
ThespecificexamplesthatspecifymethodsaResponsibleEntitycantaketorestrictingaccessto
BESCyberSystemshasbeenmovedtotheGuidelinesandTechnicalBasissection.This
requirementhasbeenmademoregeneraltoallowforalternatemeasuresofcontrolling
physicalaccess.
AddedtoaddressFERCOrderNo.706,Paragraph572,relateddirectivesforphysicalsecurity
defenseindepth.
FERCOrderNo.706,Paragraph575,directivesaddressedbyprovidingtheexamplesinthe
guidancedocumentofphysicalsecuritydefenseindepthviamultifactorauthenticationor
layeredPhysicalSecurityPerimeter(s).
Referencetopriorversion:(Part1.4)CIP0064c,R5
ChangeRationale:(Part1.4)
ExamplesofmonitoringmethodshavebeenmovedtotheGuidelinesandTechnicalBasis
section.
Referencetopriorversion:(Part1.5)CIP0064c,R5
ChangeRationale:(Part1.5)
ExamplesofmonitoringmethodshavebeenmovedtotheGuidelinesandTechnicalBasis
section.
Referencetopriorversion:(Part1.6)CIP0064c,R5
ChangeRationale:(Part1.6)
AddressesthepriorCIP0064c,RequirementR5requirementforPhysicalAccessControl
Systems.
Referencetopriorversion:(Part1.7)CIP0064c,R5
ChangeRationale:(Part1.7)
AddressesthepriorCIP0064c,RequirementR5requirementforPhysicalAccessControl
Systems.
Referencetopriorversion:(Part1.8)CIP0064c,R6
ChangeRationale:(Part1.8)
GuidelinesandTechnicalBasis
Page23of24
CIP0064c,RequirementR6wasspecifictotheloggingofaccessatidentifiedaccesspoints.
ThisrequirementmoregenerallyrequiresloggingofauthorizedphysicalaccessintothePhysical
SecurityPerimeter.
ExamplesofloggingmethodshavebeenmovedtotheGuidelinesandTechnicalBasissection.
Referencetopriorversion:(Part1.9)CIP0064c,R7
ChangeRationale:(Part1.9)
Nochange.
RationaleforR2:
Tocontrolwhenpersonnelwithoutauthorizedunescortedphysicalaccesscanbeinany
PhysicalSecurityPerimetersprotectingBESCyberSystemsorElectronicAccessControlor
MonitoringSystems,asapplicableinTableR2.
SummaryofChanges:Reformattedintotablestructure.OriginallyaddedinVersion3perFERC
OrderissuedSeptember30,2009.
Referencetopriorversion:(Part2.1)CIP0064c,R1.6.2
ChangeRationale:(Part2.1)
AddedtheabilitytonotdothisduringCIPExceptionalCircumstances.
Referencetopriorversion:(Part2.2)CIP0064cR1.6.1
ChangeRationale:(Part2.2)
AddedtheabilitytonotdothisduringCIPExceptionalCircumstances,addressedmultientry
scenariosofthesamepersoninaday(logfirstentryandlastexit),andnameofthepersonwho
isresponsibleorsponsorforthevisitor.Thereisnorequirementtodocumenttheescortor
handoffsbetweenescorts.
Referencetopriorversion:(Part2.3)CIP0064c,R7
ChangeRationale:(Part2.3)
Nochange
RationaleforR3:
ToensureallPhysicalAccessControlSystemsanddevicescontinuetofunctionproperly.
SummaryofChanges:Reformattedintotablestructure.
AddeddetailstoaddressFERCOrderNo.706,Paragraph581,directivestotestmorefrequently
thaneverythreeyears.
GuidelinesandTechnicalBasis
Page24of24
Referencetopriorversion:(Part3.1)CIP0064c,R8.1andR8.2
ChangeRationale:(Part3.1)
AddeddetailstoaddressFERCOrderNo.706,Paragraph581directivestotestmorefrequently
thaneverythreeyears.TheSDTdeterminedthatannualtestingwastoooftenandagreedon
twoyears.
Version History
Version Date Action ChangeTracking
1 1/16/06
R3.2ChangeControlCenterto
controlcenter.
3/24/06
2 9/30/09 Modificationstoclarifytherequirements
andtobringthecomplianceelements
intoconformancewiththelatest
guidelinesfordevelopingcompliance
elementsofstandards.
Removalofreasonablebusiness
judgment.
ReplacedtheRROwiththeREasa
responsibleentity.
RewordingofEffectiveDate.
Changedcompliancemonitorto
ComplianceEnforcementAuthority.
3 12/16/09 UpdatedVersionNumberfrom2to3
InRequirement1.6,deletedthesentence
pertainingtoremovingcomponentor
systemfromserviceinordertoperform
testing,inresponsetoFERCorderissued
September30,2009.
3 12/16/09 ApprovedbytheNERCBoardofTrustees.
3 3/31/10 ApprovedbyFERC.
4 1/24/11 ApprovedbytheNERCBoardofTrustees.
5 11/26/12 AdoptedbytheNERCBoardofTrustees. Modifiedto
coordinatewith
otherCIP
standardsandto
reviseformatto
useRBSTemplate.
Wheretechnicallyfeasible,enableonly
logicalnetworkaccessibleportsthat
havebeendeterminedtobeneededby
theResponsibleEntity,includingport
rangesorserviceswhereneededto
handledynamicports.Ifadevicehas
noprovisionfordisablingorrestricting
logicalportsonthedevicethenthose
portsthatareopenaredeemed
needed.
Examplesofevidencemayinclude,but
arenotlimitedto:
Documentationoftheneedfor
allenabledportsonall
applicableCyberAssetsand
ElectronicAccessPoints,
individuallyorbygroup.
Listingsofthelisteningportson
theCyberAssets,individuallyor
bygroup,fromeitherthedevice
configurationfiles,command
output(suchasnetstat),or
networkscansofopenports;or
Configurationfilesofhost
basedfirewallsorotherdevice
levelmechanismsthatonly
allowneededportsanddenyall
others.
CIP0075CyberSecuritySystemsSecurityManagement
Page7of42
CIP0075TableR1PortsandServices
Part ApplicableSystems Requirements Measures
1.2 HighImpactBESCyberSystems
MediumImpactBESCyberSystemsat
ControlCenters
Protectagainsttheuseofunnecessary
physicalinput/outputportsusedfor
networkconnectivity,console
commands,orremovablemedia.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
showingtypesofprotectionofphysical
input/outputports,eitherlogically
throughsystemconfigurationor
physicallyusingaportlockorsignage.
R2. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0075TableR2Security
PatchManagement.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning].
M2. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0075TableR2SecurityPatchManagementandadditionalevidencetodemonstrate
implementationasdescribedintheMeasurescolumnofthetable.
CIP0075CyberSecuritySystemsSecurityManagement
Page8of42
CIP0075TableR2SecurityPatchManagement
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Apatchmanagementprocessfor
tracking,evaluating,andinstalling
cybersecuritypatchesforapplicable
CyberAssets.Thetrackingportion
shallincludetheidentificationofa
sourceorsourcesthatthe
ResponsibleEntitytracksforthe
releaseofcybersecuritypatchesfor
applicableCyberAssetsthatare
updateableandforwhichapatching
sourceexists.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
ofapatchmanagementprocessand
documentationorlistsofsourcesthat
aremonitored,whetheronan
individualBESCyberSystemorCyber
Assetbasis.
CIP0075CyberSecuritySystemsSecurityManagement
Page9of42
CIP0075TableR2SecurityPatchManagement
Part ApplicableSystems Requirements Measures
2.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Atleastonceevery35calendardays,
evaluatesecuritypatchesfor
applicabilitythathavebeenreleased
sincethelastevaluationfromthe
sourceorsourcesidentifiedinPart
2.1.
Anexampleofevidencemayinclude,
butisnotlimitedto,anevaluation
conductedby,referencedby,oron
behalfofaResponsibleEntityof
securityrelatedpatchesreleasedby
thedocumentedsourcesatleastonce
every35calendardays.
CIP0075CyberSecuritySystemsSecurityManagement
Page10of42
CIP0075TableR2SecurityPatchManagement
Part ApplicableSystems Requirements Measures
2.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Forapplicablepatchesidentifiedin
Part2.2,within35calendardaysof
theevaluationcompletion,takeone
ofthefollowingactions:
Applytheapplicablepatches;or
Createadatedmitigationplan;
or
Reviseanexistingmitigation
plan.
Mitigationplansshallincludethe
ResponsibleEntitysplannedactions
tomitigatethevulnerabilities
addressedbyeachsecuritypatchand
atimeframetocompletethese
mitigations.
Examplesofevidencemayinclude,
butarenotlimitedto:
Recordsoftheinstallationof
thepatch(e.g.,exportsfrom
automatedpatch
managementtoolsthat
provideinstallationdate,
verificationofBESCyber
SystemComponentsoftware
revision,orregistryexports
thatshowsoftwarehasbeen
installed);or
Adatedplanshowingwhen
andhowthevulnerabilitywill
beaddressed,toinclude
documentationoftheactions
tobetakenbytheResponsible
Entitytomitigatethe
vulnerabilitiesaddressedby
thesecuritypatchanda
timeframeforthecompletion
ofthesemitigations.
CIP0075CyberSecuritySystemsSecurityManagement
Page11of42
CIP0075TableR2SecurityPatchManagement
Part ApplicableSystems Requirements Measures
2.4 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Foreachmitigationplancreatedor
revisedinPart2.3,implementthe
planwithinthetimeframespecifiedin
theplan,unlessarevisiontotheplan
oranextensiontothetimeframe
specifiedinPart2.3isapprovedby
theCIPSeniorManagerordelegate.
Anexampleofevidencemayinclude,
butisnotlimitedto,recordsof
implementationofmitigations.
R3. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0075TableR3Malicious
CodePrevention.[ViolationRiskFactor:Medium][TimeHorizon:SameDayOperations].
M3. Evidencemustincludeeachofthedocumentedprocessesthatcollectivelyincludeeachoftheapplicablerequirement
partsinCIP0075TableR3MaliciousCodePreventionandadditionalevidencetodemonstrateimplementationas
describedintheMeasurescolumnofthetable.
CIP0075CyberSecuritySystemsSecurityManagement
Page12of42
CIP0075TableR3MaliciousCodePrevention
Part ApplicableSystems Requirements Measures
3.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Deploymethod(s)todeter,detect,or
preventmaliciouscode.
Anexampleofevidencemayinclude,
butisnotlimitedto,recordsofthe
ResponsibleEntitysperformanceof
theseprocesses(e.g.,through
traditionalantivirus,system
hardening,policies,etc.).
CIP0075CyberSecuritySystemsSecurityManagement
Page13of42
CIP0075TableR3MaliciousCodePrevention
Part ApplicableSystems Requirements Measures
3.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Mitigatethethreatofdetected
maliciouscode.
Examplesofevidencemayinclude,
butarenotlimitedto:
Recordsofresponseprocesses
formaliciouscodedetection
Recordsoftheperformanceof
theseprocesseswhenmalicious
codeisdetected.
3.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
ForthosemethodsidentifiedinPart
3.1thatusesignaturesorpatterns,
haveaprocessfortheupdateofthe
signaturesorpatterns.Theprocess
mustaddresstestingandinstallingthe
signaturesorpatterns.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
showingtheprocessusedforthe
updateofsignaturesorpatterns.
CIP0075CyberSecuritySystemsSecurityManagement
Page14of42
R4. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0075TableR4Security
EventMonitoring.[ViolationRiskFactor:Medium][TimeHorizon:SameDayOperationsandOperationsAssessment.]
M4. Evidencemustincludeeachofthedocumentedprocessesthatcollectivelyincludeeachoftheapplicablerequirement
partsinCIP0075TableR4SecurityEventMonitoringandadditionalevidencetodemonstrateimplementationas
describedintheMeasurescolumnofthetable.
CIP0075TableR4SecurityEventMonitoring
Part ApplicableSystems Requirements Measures
4.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
LogeventsattheBESCyberSystem
level(perBESCyberSystemcapability)
orattheCyberAssetlevel(perCyber
Assetcapability)foridentificationof,
andafterthefactinvestigationsof,
CyberSecurityIncidentsthatincludes,
asaminimum,eachofthefollowing
typesofevents:
4.1.1. Detectedsuccessfullogin
attempts;
4.1.2. Detectedfailedaccess
attemptsandfailedlogin
attempts;
4.1.3. Detectedmaliciouscode.
Examplesofevidencemayinclude,but
arenotlimitedto,apaperorsystem
generatedlistingofeventtypesfor
whichtheBESCyberSystemiscapable
ofdetectingand,forgenerated
events,isconfiguredtolog.Thislisting
mustincludetherequiredtypesof
events.
CIP0075CyberSecuritySystemsSecurityManagement
Page15of42
CIP0075TableR4SecurityEventMonitoring
Part ApplicableSystems Requirements Measures
4.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Generatealertsforsecurityevents
thattheResponsibleEntity
determinesnecessitatesanalert,that
includes,asaminimum,eachofthe
followingtypesofevents(perCyber
AssetorBESCyberSystemcapability):
4.2.1. Detectedmaliciouscodefrom
Part4.1;and
4.2.2. DetectedfailureofPart4.1
eventlogging.
Examplesofevidencemayinclude,but
arenotlimitedto,paperorsystem
generatedlistingofsecurityevents
thattheResponsibleEntity
determinednecessitatealerts,
includingpaperorsystemgenerated
listshowinghowalertsareconfigured.
CIP0075CyberSecuritySystemsSecurityManagement
Page16of42
CIP0075TableR4SecurityEventMonitoring
Part ApplicableSystems Requirements Measures
4.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Wheretechnicallyfeasible,retain
applicableeventlogsidentifiedinPart
4.1foratleastthelast90consecutive
calendardaysexceptunderCIP
ExceptionalCircumstances.
Examplesofevidencemayinclude,but
arenotlimitedto,documentationof
theeventlogretentionprocessand
paperorsystemgeneratedreports
showinglogretentionconfiguration
setat90daysorgreater.
4.4 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
Reviewasummarizationorsampling
ofloggedeventsasdeterminedbythe
ResponsibleEntityatintervalsno
greaterthan15calendardaysto
identifyundetectedCyberSecurity
Incidents.
Examplesofevidencemayinclude,but
arenotlimitedto,documentation
describingthereview,anyfindings
fromthereview(ifany),anddated
documentationshowingthereview
occurred.
R5. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0075TableR5System
AccessControls.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning].
M5. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0075Table5SystemAccessControlsandadditionalevidencetodemonstrateimplementation
asdescribedintheMeasurescolumnofthetable.
CIP0075CyberSecuritySystemsSecurityManagement
Page17of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Haveamethod(s)toenforce
authenticationofinteractiveuseraccess,
wheretechnicallyfeasible.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
describinghowaccessis
authenticated.
CIP0075CyberSecuritySystemsSecurityManagement
Page18of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Identifyandinventoryallknownenabled
defaultorothergenericaccounttypes,
eitherbysystem,bygroupsofsystems,by
location,orbysystemtype(s).
Anexampleofevidencemayinclude,
butisnotlimitedto,alistingof
accountsbyaccounttypesshowing
theenabledorgenericaccounttypes
inusefortheBESCyberSystem.
CIP0075CyberSecuritySystemsSecurityManagement
Page19of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Identifyindividualswhohaveauthorized
accesstosharedaccounts.
Anexampleofevidencemayinclude,
butisnotlimitedto,listingofshared
accountsandtheindividualswhohave
authorizedaccesstoeachshared
account.
CIP0075CyberSecuritySystemsSecurityManagement
Page20of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.4
HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Changeknowndefaultpasswords,per
CyberAssetcapability
Examplesofevidencemayinclude,but
arenotlimitedto:
Recordsofaprocedurethat
passwordsarechangedwhennew
devicesareinproduction;or
Documentationinsystemmanuals
orothervendordocuments
showingdefaultvendor
passwordsweregenerated
pseudorandomlyandarethereby
uniquetothedevice.
CIP0075CyberSecuritySystemsSecurityManagement
Page21of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.5 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Forpasswordonlyauthenticationfor
interactiveuseraccess,eithertechnically
orprocedurallyenforcethefollowing
passwordparameters:
5.5.1. Passwordlengththatis,atleast,
thelesserofeightcharactersor
themaximumlengthsupportedby
theCyberAsset;and
5.5.2. Minimumpasswordcomplexity
thatisthelesserofthreeormore
differenttypesofcharacters(e.g.,
uppercasealphabetic,lowercase
alphabetic,numeric,non
alphanumeric)orthemaximum
complexitysupportedbytheCyber
Asset.
Examplesofevidencemayinclude,but
arenotlimitedto:
Systemgeneratedreportsor
screenshotsofthesystem
enforcedpasswordparameters,
includinglengthandcomplexity;
or
Attestationsthatincludea
referencetothedocumented
proceduresthatwerefollowed.
CIP0075CyberSecuritySystemsSecurityManagement
Page22of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.6 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
withExternalRoutableConnectivity
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Wheretechnicallyfeasible,for
passwordonlyauthenticationfor
interactiveuseraccess,either
technicallyorprocedurallyenforce
passwordchangesoranobligationto
changethepasswordatleastonce
every15calendarmonths.
Examplesofevidencemayinclude,
butarenotlimitedto:
Systemgeneratedreportsor
screenshotsofthesystem
enforcedperiodicityofchanging
passwords;or
Attestationsthatincludea
referencetothedocumented
proceduresthatwerefollowed.
CIP0075CyberSecuritySystemsSecurityManagement
Page23of42
CIP0075TableR5SystemAccessControl
Part ApplicableSystems Requirements Measures
5.7 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
atControlCentersandtheir
associated:
1. EACMS;
2. PACS;and
3. PCA
Wheretechnicallyfeasible,either:
Limitthenumberof
unsuccessfulauthentication
attempts;or
Generatealertsaftera
thresholdofunsuccessful
authenticationattempts.
Examplesofevidencemayinclude,
butarenotlimitedto:
Documentationoftheaccount
lockoutparameters;or
Rulesinthealertingconfiguration
showinghowthesystemnotified
individualsafteradetermined
numberofunsuccessfullogin
attempts.
CIP0075CyberSecuritySystemsSecurityManagement
Page24of42
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)unlessthe
applicableentityisowned,operated,orcontrolledbytheRegionalEntity.Insuchcasesthe
EROoraRegionalEntityapprovedbyFERCorotherapplicablegovernmentalauthorityshall
serveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityisrequiredto
retainspecificevidencetodemonstratecompliance.Forinstanceswheretheevidence
retentionperiodspecifiedbelowisshorterthanthetimesincethelastaudit,theCEAmayask
anentitytoprovideotherevidencetoshowthatitwascompliantforthefulltimeperiodsince
thelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceasidentifiedbelow
unlessdirectedbyitsCEAtoretainspecificevidenceforalongerperiodoftimeaspartofan
investigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthisstandardforthree
calendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformationrelatedtothenon
complianceuntilmitigationiscompleteandapprovedorforthetimespecifiedabove,
whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmittedsubsequentaudit
records.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0075CyberSecuritySystemsSecurityManagement
Page25of42
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
GuidelinesandTechnicalBasis
Page26of42
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
RequirementR1existstoreducetheattacksurfaceofCyberAssetsbyrequiringentitiesto
disableknownunnecessaryports.TheSDTintendsfortheentitytoknowwhatnetwork
accessible(listening)portsandassociatedservicesareaccessibleontheirassetsandsystems,
whethertheyareneededforthatCyberAssetsfunction,anddisableorrestrictaccesstoall
otherports.
1.1. Thisrequirementismostoftenaccomplishedbydisablingthecorrespondingserviceor
programthatislisteningontheportorconfigurationsettingswithintheCyberAsset.Itcan
alsobeaccomplishedthroughusinghostbasedfirewalls,TCP_Wrappers,orothermeanson
theCyberAssettorestrictaccess.NotethattherequirementisapplicableattheCyberAsset
level.TheCyberAssetsarethosewhichcomprisetheapplicableBESCyberSystemsandtheir
associatedCyberAssets.Thiscontrolisanotherlayerinthedefenseagainstnetworkbased
attacks,thereforetheSDTintendsthatthecontrolbeonthedeviceitself,orpositionedinline
inanonbypassablemanner.BlockingportsattheESPborderdoesnotsubstituteforthis
devicelevelrequirement.Ifadevicehasnoprovisionfordisablingorrestrictinglogicalports
onthedevice(examplepurposebuiltdevicesthatrunfromfirmwarewithnoport
configurationavailable)thenthoseportsthatareopenaredeemedneeded.
1.2. ExamplesofphysicalI/Oportsincludenetwork,serialandUSBportsexternaltothe
devicecasing.BESCyberSystemsshouldexistwithinaPhysicalSecurityPerimeterinwhich
GuidelinesandTechnicalBasis
Page27of42
casethephysicalI/Oportshaveprotectionfromunauthorizedaccess,butitmaystillbe
possibleforaccidentalusesuchasconnectingamodem,connectinganetworkcablethat
bridgesnetworks,orinsertingaUSBdrive.Portsusedforconsolecommandsprimarilymeans
serialportsonCyberAssetsthatprovideanadministrativeinterface.
Theprotectionoftheseportscanbeaccomplishedinseveralwaysincluding,butnotlimitedto:
DisablingallunneededphysicalportswithintheCyberAssetsconfiguration
Prominentsignage,tampertape,orothermeansofconveyingthattheports
shouldnotbeusedwithoutproperauthorization
Physicalportobstructionthroughremovablelocks
Thisisadefenseindepthtypecontrolanditisacknowledgedthatthereareotherlayersof
control(thePSPforone)thatpreventunauthorizedpersonnelfromgainingphysicalaccessto
theseports.Evenwithphysicalaccess,ithasbeenpointedoutthereareotherwaysto
circumventthecontrol.Thiscontrol,withitsinclusionofmeanssuchassignage,isnotmeant
tobeapreventativecontrolagainstintruders.Signageisindeedadirectivecontrol,nota
preventativeone.However,withadefenseindepthposture,differentlayersandtypesof
controlsarerequiredthroughoutthestandardwiththisprovidinganotherlayerfordepthin
ControlCenterenvironments.Oncephysicalaccesshasbeenachievedthroughtheother
preventativeanddetectivemeasuresbyauthorizedpersonnel,adirectivecontrolthatoutlines
properbehaviorasalastlineofdefenseareappropriateinthesehighestriskareas.Inessence,
signagewouldbeusedtoremindauthorizeduserstothinkbeforeyoupluganythingintoone
ofthesesystemswhichistheintent.Thiscontrolisnotdesignedprimarilyforintruders,but
forexampletheauthorizedemployeewhointendstoplughispossiblyinfectedsmartphone
intoanoperatorconsoleUSBporttochargethebattery.
RequirementR2:
TheSDTsintentofRequirementR2istorequireentitiestoknow,track,andmitigatethe
knownsoftwarevulnerabilitiesassociatedwiththeirBESCyberAssets.Itisnotstrictlyan
installeverysecuritypatchrequirement;themainintentionistobeawareofinatimely
mannerandmanageallknownvulnerabilitiesrequirement.
PatchmanagementisrequiredforBESCyberSystemsthatareaccessibleremotelyaswellas
standalonesystems.Standalonesystemsarevulnerabletointentionalorunintentional
introductionofmaliciouscode.Asounddefenseindepthsecuritystrategyemploysadditional
measuressuchasphysicalsecurity,malwarepreventionsoftware,andsoftwarepatch
managementtoreducetheintroductionofmaliciouscodeortheexploitofknown
vulnerabilities.
Oneormultipleprocessescouldbeutilized.Anoverallassessmentprocessmayexistinatop
tierdocumentwithlowertierdocumentsestablishingthemoredetailedprocessfollowedfor
individualsystems.LowertierdocumentscouldbeusedtocoverBESCyberSystemnuances
thatmayoccuratthesystemlevel.
2.1. TheResponsibleEntityistohaveapatchmanagementprogramthatcoverstracking,
evaluating,andinstallingcybersecuritypatches.Therequirementappliestopatchesonly,
GuidelinesandTechnicalBasis
Page28of42
whicharefixesreleasedtohandleaspecificvulnerabilityinahardwareorsoftwareproduct.
Therequirementcoversonlypatchesthatinvolvecybersecurityfixesanddoesnotcover
patchesthatarepurelyfunctionalityrelatedwithnocybersecurityimpact.Trackinginvolves
processesfornotificationoftheavailabilityofnewcybersecuritypatchesfortheCyberAssets.
Documentingthepatchsourceinthetrackingportionoftheprocessisrequiredtodetermine
whentheassessmenttimeframeclockstarts.Thisrequirementhandlesthesituationwhere
securitypatchescancomefromanoriginalsource(suchasanoperatingsystemvendor),but
mustbeapprovedorcertifiedbyanothersource(suchasacontrolsystemvendor)beforethey
canbeassessedandappliedinordertonotjeopardizetheavailabilityorintegrityofthecontrol
system.Thesourcecantakemanyforms.TheNationalVulnerabilityDatabase,Operating
Systemvendors,orControlSystemvendorscouldallbesourcestomonitorforreleaseof
securityrelatedpatches,hotfixes,and/orupdates.ApatchsourceisnotrequiredforCyber
Assetsthathavenoupdateablesoftwareorfirmware(thereisnouseraccessiblewaytoupdate
theinternalsoftwareorfirmwareexecutingontheCyberAsset),orthoseCyberAssetsthat
havenoexistingsourceofpatchessuchasvendorsthatnolongerexist.Theidentificationof
thesesourcesisintendedtobeperformedonceunlesssoftwareischangedoraddedtothe
CyberAssetsbaseline.
2.2. ResponsibleEntitiesaretoperformanassessmentofsecurityrelatedpatcheswithin35
daysofreleasefromtheirmonitoredsource.Anassessmentshouldconsistofdeterminationof
theapplicabilityofeachpatchtotheentitysspecificenvironmentandsystems.Applicability
determinationisbasedprimarilyonwhetherthepatchappliestoaspecificsoftwareor
hardwarecomponentthattheentitydoeshaveinstalledinanapplicableCyberAsset.Apatch
thatappliestoaserviceorcomponentthatisnotinstalledintheentitysenvironmentisnot
applicable.Ifthepatchisdeterminedtobenonapplicable,thatisdocumentedwiththe
reasonswhyandtheentityiscompliant.Ifthepatchisapplicable,theassessmentcaninclude
adeterminationoftheriskinvolved,howthevulnerabilitycanberemediated,theurgencyand
timeframeoftheremediation,andthestepstheentityhaspreviouslytakenorwilltake.
Considerablecaremustbetakeninapplyingsecurityrelatedpatches,hotfixes,and/orupdates
orapplyingcompensatingmeasurestoBESCyberSystemorBESCyberAssetsthatarenolonger
supportedbyvendors.Itispossiblesecuritypatches,hotfixes,andupdatesmayreducethe
reliabilityofthesystem,andentitiesshouldtakethisintoaccountwhendeterminingthetype
ofmitigationtoapply.TheResponsibleEntitiescanusetheinformationprovidedinthe
DepartmentofHomelandSecurityQuarterlyReportonCyberVulnerabilitiesofPotentialRisk
toControlSystemsasasource.TheDHSdocumentRecommendedPracticeforPatch
ManagementofControlSystemsprovidesguidanceonanevaluativeprocess.Itusesseverity
levelsdeterminedusingtheCommonVulnerabilityScoringSystemVersion2.Determination
thatasecurityrelatedpatch,hotfix,and/orupdateposestoogreatarisktoinstallonasystem
orisnotapplicableduetothesystemconfigurationshouldnotrequireaTFE.
Whendocumentingtheremediationplanmeasuresitmaynotbenecessarytodocumentthem
onaonetoonebasis.Theremediationplanmeasuresmaybecumulative.Ameasureto
addressasoftwarevulnerabilitymayinvolvedisablingaparticularservice.Thatsameservice
maybeexploitedthroughothersoftwarevulnerabilities.Thereforedisablingthesingleservice
hasaddressedmultiplepatchedvulnerabilities.
GuidelinesandTechnicalBasis
Page29of42
2.3. Therequirementhandlesthesituationswhereitismoreofareliabilityrisktopatcha
runningsystemthanthevulnerabilitypresents.Inallcases,theentityeitherinstallsthepatch
ordocuments(eitherthroughthecreationofaneworupdateofanexistingmitigationplan)
whattheyaregoingtodotomitigatethevulnerabilityandwhentheyaregoingtodoso.There
aretimeswhenitisinthebestinterestofreliabilitytonotinstallapatch,andtheentitycan
documentwhattheyhavedonetomitigatethevulnerability.Forthosesecurityrelated
patchesthataredeterminedtobeapplicable,theResponsibleEntitymustwithin35dayseither
installthepatch,createadatedmitigationplanwhichwilloutlinetheactionstobetakenor
thosethathavealreadybeentakenbytheResponsibleEntitytomitigatethevulnerabilities
addressedbythesecuritypatch,orreviseanexistingmitigationplan.Timeframesdonothave
tobedesignatedasaparticularcalendardaybutcanhaveeventdesignationssuchasatnext
scheduledoutageofatleasttwodaysduration.Mitigationplansinthestandardrefersto
internaldocumentsandarenottobeconfusedwithplansthataresubmittedtoRegional
Entitiesinresponsetoviolations.
2.4. Theentityhasbeennotifiedof,hasassessed,andhasdevelopedaplantoremediate
theknownriskandthatplanmustbeimplemented.Remediationplansthatonlyincludesteps
thathavebeenpreviouslytakenareconsideredimplementeduponcompletionofthe
documentation.Remediationplansthathavestepstobetakentoremediatethevulnerability
mustbeimplementedbythetimeframetheentitydocumentedintheirplan.Thereisno
maximumtimeframeinthisrequirementaspatchingandothersystemchangescarriesitsown
risktotheavailabilityandintegrityofthesystemsandmayrequirewaitinguntilaplanned
outage.Inperiodsofhighdemandorthreateningweather,changestosystemsmaybe
curtailedordeniedduetotherisktoreliability.
RequirementR3:
3.1. DuetothewiderangeofequipmentcomprisingtheBESCyberSystemsandthewide
varietyofvulnerabilityandcapabilityofthatequipmenttomalwareaswellastheconstantly
evolvingthreatandresultanttoolsandcontrols,itisnotpracticalwithinthestandardto
prescribehowmalwareistobeaddressedoneachCyberAsset.Rather,theResponsibleEntity
determinesonaBESCyberSystembasiswhichCyberAssetshavesusceptibilitytomalware
intrusionsanddocumentstheirplansandprocessesforaddressingthoserisksandprovides
evidencethattheyfollowthoseplansandprocesses.Therearenumerousoptionsavailable
includingtraditionalantivirussolutionsforcommonoperatingsystems,whitelistingsolutions,
networkisolationtechniques,portablestoragemediapolicies,IntrusionDetection/Prevention
(IDS/IPS)solutions,etc.IfanentityhasnumerousBESCyberSystemsorCyberAssetsthatare
ofidenticalarchitecture,theymayprovideoneprocessthatdescribeshowallthelikeCyber
Assetsarecovered.IfaspecificCyberAssethasnoupdateablesoftwareanditsexecutingcode
cannotbealtered,thenthatCyberAssetisconsideredtohaveitsowninternalmethodof
deterringmaliciouscode.
3.2. WhenmaliciouscodeisdetectedonaCyberAssetwithintheapplicabilityofthis
requirement,thethreatposedbythatcodemustbemitigated.Insituationswheretraditional
antivirusproductsareused,theymaybeconfiguredtoautomaticallyremoveorquarantinethe
maliciouscode.Inwhitelistingsituations,thewhitelistingtoolitselfcanmitigatethethreatas
GuidelinesandTechnicalBasis
Page30of42
itwillnotallowthecodetoexecute,howeverstepsshouldstillbetakentoremovethe
maliciouscodefromtheCyberAsset.Insomeinstances,itmaybeinthebestinterestof
reliabilitytonotimmediatelyremoveorquarantinethemaliciouscode,suchaswhen
availabilityofthesystemmaybejeopardizedbyremovalwhileoperatingandarebuildofthe
systemneedstobescheduled.Inthatcase,monitoringmaybeincreasedandstepstakento
insurethemaliciouscodecannotcommunicatewithothersystems.Insomeinstancesthe
entitymaybeworkingwithlawenforcementorothergovernmentalentitiestocloselymonitor
thecodeandtracktheperpetrator(s).Forthesereasons,thereisnomaximumtimeframeor
methodprescribedfortheremovalofthemaliciouscode,buttherequirementistomitigate
thethreatposedbythenowidentifiedmaliciouscode.
3.3. Ininstanceswheremalwaredetectiontechnologiesdependonsignaturesorpatternsof
knownattacks,theeffectivenessofthesetoolsagainstevolvingthreatsistiedtotheabilityto
keepthesesignaturesandpatternsupdatedinatimelymanner.Theentityistohavea
documentedprocessthatincludesthetestingandinstallationofsignatureorpatternupdates.
InaBESCyberSystem,theremaybesomeCyberAssetsthatwouldbenefitfromthemore
timelyinstallationoftheupdateswhereavailabilityofthatCyberAssetwouldnotjeopardize
theavailabilityoftheBESCyberSystemsabilitytoperformitsfunction.Forexample,some
HMIworkstationswhereportablemediaisutilizedmaybenefitfromhavingtheverylatest
updatesatalltimeswithminimaltesting.OtherCyberAssetsshouldhaveanyupdates
thoroughlytestedbeforeimplementationwheretheresultofafalsepositivecouldharmthe
availabilityoftheBESCyberSystem.Thetestingshouldnotnegativelyimpactthereliabilityof
theBES.Thetestingshouldbefocusedontheupdateitselfandifitwillhaveanadverseimpact
ontheBESCyberSystem.Testinginnowayimpliesthattheentityistestingtoensurethat
malwareisindeeddetectedbyintroducingmalwareintotheenvironment.Itisstrictlyfocused
onensuringthattheupdatedoesnotnegativelyimpacttheBESCyberSystembeforethose
updatesareplacedintoproduction.
RequirementR4:
RefertoNIST80092and800137foradditionalguidanceinsecurityeventmonitoring.
4.1. Inacomplexcomputingenvironmentandfacedwithdynamicthreatsand
vulnerabilities,itisnotpracticalwithinthestandardtoenumerateallsecurityrelatedevents
necessarytosupporttheactivitiesforalertingandincidentresponse.Rather,theResponsible
Entitydetermineswhichcomputergeneratedeventsarenecessarytolog,providealertsand
monitorfortheirparticularBESCyberSystemenvironment.
SpecificsecurityeventsalreadyrequiredinVersion4oftheCIPStandardscarryforwardinthis
version.ThisincludesaccessattemptsattheElectronicAccessPoints,ifanyhavebeen
identifiedforaBESCyberSystems.Examplesofaccessattemptsinclude:(i)blockednetwork
accessattempts,(ii)successfulandunsuccessfulremoteuseraccessattempts,(iii)blocked
networkaccessattemptsfromaremoteVPN,and(iv)successfulnetworkaccessattemptsor
networkflowinformation.
UseraccessandactivityeventsincludethoseeventsgeneratedbyCyberAssetswithinthe
ElectronicSecurityPerimeterthathaveaccesscontrolcapability.Thesetypesofeventsinclude:
GuidelinesandTechnicalBasis
Page31of42
(i)successfulandunsuccessfulauthentication,(ii)accountmanagement,(iii)objectaccess,and
(iv)processesstartedandstopped.
ItisnottheintentoftheSDTthatifadevicecannotlogaparticulareventthataTFEmustbe
generated.TheSDTsintentisthatifanyoftheitemsinthebulletedlist(forexample,user
logouts)canbeloggedbythedevicethentheentitymustlogthatitem.Ifthedevicedoesnot
havethecapabilityofloggingthatevent,theentityremainscompliant.
4.2. Realtimealertingallowsthecybersystemtoautomaticallycommunicateeventsof
significancetodesignatedresponders.Thisinvolvesconfigurationofacommunication
mechanismandloganalysisrules.Alertscanbeconfiguredintheformofanemail,text
message,orsystemdisplayandalarming.Theloganalysisrulescanexistaspartofthe
operatingsystem,specificapplicationoracentralizedsecurityeventmonitoringsystem.On
oneend,arealtimealertcouldconsistofasetpointonanRTUforaloginfailure,andonthe
otherend,asecurityeventmonitoringsystemcouldprovidemultiplealertingcommunications
optionstriggeredonanynumberofcomplexlogcorrelationrules.
Theeventstriggeringarealtimealertmaychangefromdaytodayassystemadministrators
andincidentrespondersbetterunderstandthetypesofeventsthatmightbeindicationsofa
cybersecurityincident.Configurationofalertsalsomustbalancetheneedforrespondersto
knowaneventoccurredwiththepotentialinundationofinsignificantalerts.Thefollowinglist
includesexamplesofeventsaResponsibleEntityshouldconsiderinconfiguringrealtimealerts:
Detectedknownorpotentialmalwareormaliciousactivity
Failureofsecurityeventloggingmechanisms
Loginfailuresforcriticalaccounts
Interactiveloginofsystemaccounts
Enablingofaccounts
Newlyprovisionedaccounts
Systemadministrationorchangetasksbyanunauthorizeduser
Authenticationattemptsoncertainaccountsduringnonbusinesshours
Unauthorizedconfigurationchanges
Insertionofremovablemediainviolationofapolicy
4.3 LogsthatarecreatedunderPart4.1aretoberetainedontheapplicableCyberAssetsor
BESCyberSystemsforatleast90days.Thisisdifferentthantheevidenceretentionperiod
calledforintheCIPstandardsusedtoprovehistoricalcompliance.Forsuchauditpurposes,
theentityshouldmaintainevidencethatshowsthat90dayswerekepthistorically.One
examplewouldberecordsofdispositionofeventlogsbeyond90daysuptotheevidence
retentionperiod.
4.4. Reviewinglogsatleastevery15days(approximatelyeverytwoweeks)canconsistof
analyzingasummarizationorsamplingofloggedevents.NISTSP80092providesalotof
guidanceinperiodicloganalysis.Ifacentralizedsecurityeventmonitoringsystemisused,log
analysiscanbeperformedtopdownstartingwithareviewoftrendsfromsummaryreports.
GuidelinesandTechnicalBasis
Page32of42
Thelogreviewcanalsobeanextensionoftheexerciseinidentifyingthoseeventsneedingreal
timealertsbyanalyzingeventsthatarenotfullyunderstoodorcouldpossiblyinundatethe
realtimealerting.
RequirementR5:
Accounttypesreferencedinthisguidancetypicallyinclude:
Shareduseraccount:Anaccountusedbymultipleusersfornormalbusinessfunctions
byemployeesorcontractors.UsuallyonadevicethatdoesnotsupportIndividualUser
Accounts.
Individualuseraccount:Anaccountusedbyasingleuser.
Administrativeaccount:Anaccountwithelevatedprivilegesforperforming
administrativeorotherspecializedfunctions.Thesecanbeindividualorshared
accounts.
Systemaccount:Accountsusedtorunservicesonasystem(web,DNS,mailetc).No
usershaveaccesstotheseaccounts.
Applicationaccount:Aspecificsystemaccount,withrightsgrantedattheapplication
leveloftenusedforaccessintoaDatabase.
Guestaccount:Anindividualuseraccountnottypicallyusedfornormalbusiness
functionsbyemployeesorcontractorsandnotassociatedwithaspecificuser.Mayor
maynotbesharedbymultipleusers.
Remoteaccessaccount:AnindividualuseraccountonlyusedforobtainingInteractive
RemoteAccesstotheBESCyberSystem.
Genericaccount:Agroupaccountsetupbytheoperatingsystemorapplicationto
performspecificoperations.Thisdiffersfromashareduseraccountinthatindividual
usersdonotreceiveauthorizationforaccesstothisaccounttype.
5.1 ReferencetheRequirementsrationale.
5.2 Wherepossible,defaultandothergenericaccountsprovidedbyavendorshouldbe
removed,renamed,ordisabledpriortoproductionuseoftheCyberAssetorBESCyberSystem.
Ifthisisnotpossible,thepasswordsmustbechangedfromthedefaultprovidedbythevendor.
Defaultandothergenericaccountsremainingenabledmustbedocumented.Forcommon
configurations,thisdocumentationcanbeperformedataBESCyberSystemormoregeneral
level.
5.3 Entitiesmaychoosetoidentifyindividualswithaccesstosharedaccountsthroughthe
accessauthorizationandprovisioningprocess,inwhichcasetheindividualauthorization
recordssufficetomeetthisRequirementPart.Alternatively,entitiesmaychoosetomaintaina
separatelistingforsharedaccounts.Eitherformofevidenceachievestheendresultof
maintainingcontrolofsharedaccounts.
5.4. Defaultpasswordscanbecommonlypublishedinvendordocumentationthatisreadily
availabletoallcustomersusingthattypeofequipmentandpossiblypublishedonline.
GuidelinesandTechnicalBasis
Page33of42
TherequirementoptiontohaveuniquepasswordaddressescaseswheretheCyberAsset
generatesorhasassignedpseudorandomdefaultpasswordsatthetimeofproductionor
installation.Inthesecases,thedefaultpassworddoesnothavetochangebecausethesystem
ormanufacturercreateditspecifictotheCyberAsset.
5.5. Interactiveuseraccessdoesnotincludereadonlyinformationaccessinwhichthe
configurationoftheCyberAssetcannotchange(e.g.frontpaneldisplays,webbasedreports,
etc.).Fordevicesthatcannottechnicallyorforoperationalreasonsperformauthentication,an
entitymaydemonstrateallinteractiveuseraccesspaths,bothremoteandlocal,areconfigured
forauthentication.Physicalsecuritysufficesforlocalaccessconfigurationifthephysical
securitycanrecordwhoisinthePhysicalSecurityPerimeterandatwhattime.
Technicalorproceduralenforcementofpasswordparametersarerequiredwherepasswords
aretheonlycredentialusedtoauthenticateindividuals.Technicalenforcementofthepassword
parametersmeansaCyberAssetverifiesanindividuallyselectedpasswordmeetstherequired
parametersbeforeallowingtheaccounttoauthenticatewiththeselectedpassword.Technical
enforcementshouldbeusedinmostcaseswhentheauthenticatingCyberAssetsupports
enforcingpasswordparameters.Likewise,proceduralenforcementmeansrequiringthe
passwordparametersthroughprocedures.Individualschoosingthepasswordshavethe
obligationofensuringthepasswordmeetstherequiredparameters.
PasswordcomplexityreferstothepolicysetbyaCyberAssettorequirepasswordstohaveone
ormoreofthefollowingtypesofcharacters:(1)lowercasealphabetic,(2)uppercase
alphabetic,(3)numeric,and(4)nonalphanumericorspecialcharacters(e.g.#,$,@,&),in
variouscombinations.
5.6 Technicalorproceduralenforcementofpasswordchangeobligationsarerequired
wherepasswordsaretheonlycredentialusedtoauthenticateindividuals.Technical
enforcementofpasswordchangeobligationsmeanstheCyberAssetrequiresapassword
changeafteraspecifiedtimeframepriortoallowingaccess.Inthiscase,thepasswordisnot
requiredtochangebythespecifiedtimeaslongastheCyberAssetenforcesthepassword
changeafterthenextsuccessfulauthenticationoftheaccount.Proceduralenforcementmeans
manuallychangingpasswordsusedforinteractiveuseraccessafteraspecifiedtimeframe.
5.7 Configuringanaccountlockoutpolicyoralertingafteracertainnumberoffailed
authenticationattemptsservestopreventunauthorizedaccessthroughanonlinepassword
guessingattack.Thethresholdoffailedauthenticationattemptsshouldbesethighenoughto
avoidfalsepositivesfromauthorizedusersfailingtoauthenticate.Itshouldalsobesetlow
enoughtoaccountforonlinepasswordattacksoccurringoveranextendedperiodoftime.This
thresholdmaybetailoredtotheoperatingenvironmentovertimetoavoidunnecessary
accountlockouts.
Entitiesshouldtakecautionwhenconfiguringaccountlockouttoavoidlockingoutaccounts
necessaryfortheBESCyberSystemtoperformaBESreliabilitytask.Insuchcases,entities
shouldconfigureauthenticationfailurealerting.
GuidelinesandTechnicalBasis
Page34of42
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
TherequirementisintendedtominimizetheattacksurfaceofBESCyberSystemsthrough
disablingorlimitingaccesstounnecessarynetworkaccessiblelogicalportsandservicesand
physicalI/Oports.
SummaryofChanges:Changedtheneededfornormaloremergencyoperationstothose
portsthatareneeded.PhysicalI/OportswereaddedinresponsetoaFERCorder.The
unneededphysicalportsinControlCenters(whicharethehighestrisk,mostimpactfulareas)
shouldbeprotectedaswell.
Referencetopriorversion:(Part1.1)CIP0074,R2.1andR2.2
ChangeRationale:(Part1.1)
Therequirementfocusesontheentityknowingandonlyallowingthoseportsthatare
necessary.Theadditionalclassificationofnormaloremergencyaddednovalueandhasbeen
removed.
Referencetopriorversion:(Part1.2)New
ChangeRationale:(Part1.2)
OnMarch18,2010,FERCissuedanordertoapproveNERCsinterpretationofRequirementR2
ofCIP0072.Inthisorder,FERCagreedthetermportsinportsandservicesreferstological
communication(e.g.TCP/IP)ports,buttheyalsoencouragedthedraftingteamtoaddress
unusedphysicalports.
RationaleforR2:
Securitypatchmanagementisaproactivewayofmonitoringandaddressingknownsecurity
vulnerabilitiesinsoftwarebeforethosevulnerabilitiescanbeexploitedinamaliciousmanner
togaincontroloforrenderaBESCyberAssetorBESCyberSysteminoperable.
TheremediationplancanbeupdatedasnecessarytomaintainthereliabilityoftheBES,
includinganexplanationofanyreschedulingoftheremediationactions.
SummaryofChanges:TheexistingwordingsofCIP007,RequirementsR3,R3.1,andR3.2,were
separatedintoindividuallineitemstoprovidemoregranularity.Thedocumentationofa
source(s)tomonitorforreleaseofsecurityrelatedpatches,hotfixes,and/orupdatesforBES
CyberSystemorBESCyberAssetswasaddedtoprovidecontextastowhenthereleasedate
was.Thecurrentwordingstateddocumenttheassessmentofsecuritypatchesandsecurity
GuidelinesandTechnicalBasis
Page35of42
upgradesforapplicabilitywithinthirtycalendardaysofavailabilityofthepatchesorupgrades
andtherehasbeenconfusionastowhatconstitutestheavailabilitydate.Duetoissuesthat
mayoccurregardingControlSystemvendorlicenseandserviceagreements,flexibilitymustbe
giventoResponsibleEntitiestodefinewhatsourcesarebeingmonitoredforBESCyberAssets.
Referencetopriorversion:(Part2.1)CIP007,R3
ChangeRationale:(Part2.1)
TherequirementisbroughtforwardfrompreviousCIPversionswiththeadditionofdefiningthe
source(s)thataResponsibleEntitymonitorsforthereleaseofsecurityrelatedpatches.
Documentingthesourceisusedtodeterminewhentheassessmenttimeframeclockstarts.This
requirementalsohandlesthesituationwheresecuritypatchescancomefromanoriginalsource
(suchasanoperatingsystemvendor),butmustbeapprovedorcertifiedbyanothersource(such
asacontrolsystemvendor)beforetheycanbeassessedandappliedinordertonotjeopardize
theavailabilityorintegrityofthecontrolsystem.
Referencetopriorversion:(Part2.2)CIP007,R3.1
ChangeRationale:(Part2.2)
Similartothecurrentwordingbutaddedfromthesourceorsourcesidentifiedin2.1toclarify
the35daytimeframe.
Referencetopriorversion:(Part2.3)CIP007,R3.2
ChangeRationale:(Part2.3)
Therequirementhasbeenchangedtohandlethesituationswhereitismoreofareliabilityrisk
topatcharunningsystemthanthevulnerabilitypresents.Inallcases,theentitydocuments
(eitherthroughthecreationofaneworupdateofanexistingmitigationplan)whattheyare
goingtodotomitigatethevulnerabilityandwhentheyaregoingtodoso.Themitigationplan
may,andinmanycaseswill,consistofinstallingthepatch.However,therearetimeswhenitis
inthebestinterestofreliabilitytonotinstallapatch,andtheentitycandocumentwhatthey
havedonetomitigatethevulnerability.
Referencetopriorversion:(Part2.4)CIP007,R3.2
ChangeRationale:(Part2.4)
Similartothecurrentwordingbutaddedthattheplanmustbeimplementedwithinthe
timeframespecifiedintheplan,orinarevisedplanasapprovedbytheCIPSeniorManageror
delegate.
RationaleforR3:
Maliciouscodepreventionhasthepurposeoflimitinganddetectingtheadditionofmalicious
codeontotheapplicableCyberAssetsofaBESCyberSystem.Maliciouscode(viruses,worms,
botnets,targetedcodesuchasStuxnet,etc.)maycompromisetheavailabilityorintegrityofthe
BESCyberSystem.
SummaryofChanges:Inpriorversions,thisrequirementhasarguablybeenthesinglegreatest
generatorofTFEsasitprescribedaparticulartechnologytobeusedoneveryCCAregardlessof
GuidelinesandTechnicalBasis
Page36of42
thatassetssusceptibilityorcapabilitytousethattechnology.AsthescopeofCyberAssetsin
scopeofthesestandardsexpandstomorefieldassets,thisissuewillgrowexponentially.The
draftingteamistakingtheapproachofmakingthisrequirementacompetencybased
requirementwheretheentitymustdocumenthowthemalwareriskishandledforeachBES
CyberSystem,butitdoesnotprescribeaparticulartechnicalmethodnordoesitprescribethat
itmustbeusedoneveryCyberAsset.TheBESCyberSystemistheobjectofprotection.
BeginninginParagraphs619622ofFERCOrderNo.706,andinparticularParagraph621,FERC
agreesthatthestandarddoesnotneedtoprescribeasinglemethodHowever,howa
responsibleentitydoesthisshouldbedetailedinitscybersecuritypolicysothatitcanbe
auditedforcompliance
InParagraph622,FERCdirectsthattherequirementbemodifiedtoincludesafeguardsagainst
personnelintroducing,eithermaliciouslyorunintentionally,virusesormalicioussoftware
throughremoteaccess,electronicmedia,orothermeans.Thedraftingteambelievesthat
addressingthisissueholisticallyattheBESCyberSystemlevelandregardlessoftechnology,
alongwiththeenhancedchangemanagementrequirements,meetsthisdirective.
Referencetopriorversion:(Part3.1)CIP0074,R4;CIP0074,R4.1
ChangeRationale:(Part3.1)
SeetheSummaryofChanges.FERCOrderNo.706,Paragraph621,statesthestandards
developmentprocessshoulddecidetowhatdegreetoprotectBESCyberSystemsfrom
personnelintroducingmalicioussoftware.
Referencetopriorversion:(Part3.2)CIP0074,R4;CIP0074,R4.1
ChangeRationale:(Part3.2)
SeetheSummaryofChanges.
Referencetopriorversion:(Part3.3)CIP0074,R4;CIP0074,R4.2
ChangeRationale:(Part3.3)
Requirementessentiallyunchangedfrompreviousversions;updatedtorefertopreviouspartsof
therequirementtable.
RationaleforR4:
RationaleforR4:Securityeventmonitoringhasthepurposeofdetectingunauthorizedaccess,
reconnaissanceandothermaliciousactivityonBESCyberSystems,andcomprisesofthe
activitiesinvolvedwiththecollection,processing,alertingandretentionofsecurityrelated
computerlogs.Theselogscanprovideboth(1)thedetectionofanincidentand(2)useful
evidenceintheinvestigationofanincident.Theretentionofsecurityrelatedlogsisintended
tosupportposteventdataanalysis.
Auditprocessingfailuresarenotpenalizedinthisrequirement.Instead,therequirement
specifiesprocesseswhichmustbeinplacetomonitorforandnotifypersonnelofaudit
processingfailures.
GuidelinesandTechnicalBasis
Page37of42
SummaryofChanges:BeginninginParagraph525andalsoParagraph628oftheFERCOrder
No.706,theCommissiondirectsamanualreviewofsecurityeventlogsonamoreperiodic
basis.ThisrequirementcombinesCIP0054,R5andCIP0074,R6andaddressesboth
directivesfromasystemwideperspective.Theprimaryfeedbackreceivedonthisrequirement
fromtheinformalcommentperiodwasthevaguenessoftermssecurityeventandmonitor.
Thetermsecurityeventoreventsrelatedtocybersecurityisproblematicbecauseitdoes
notapplyconsistentlyacrossallplatformsandapplications.Toresolvethisterm,the
requirementtakesanapproachsimilartoNIST80053andrequirestheentitytodefinethe
securityeventsrelevanttotheSystem.ThereareafeweventsexplicitlylistedthatifaCyber
AssetorBESCyberSystemcanlog,thenitmustlog.
Inaddition,thisrequirementsetsupparametersforthemonitoringandreviewingofprocesses.
Itisrarelyfeasibleorproductivetolookateverysecuritylogonthesystem.Paragraph629of
theFERCOrderNo.706acknowledgesthisrealitywhendirectingamanuallogreview.Asa
result,thisrequirementallowsthemanualreviewtoconsistofasamplingorsummarizationof
securityeventsoccurringsincethelastreview.
Referencetopriorversion:(Part4.1)CIP0054,R3;CIP0074,R5,R5.1.2,R6.1,andR6.3
ChangeRationale:(Part4.1)
ThisrequirementisderivedfromNIST80053version3AU2,whichrequiresorganizationsto
determinesystemeventstoauditforincidentresponsepurposes.Theindustryexpressed
confusioninthetermsystemeventsrelatedtocybersecurityfrominformalcomments
receivedonCIP011.AccesslogsfromtheESPasrequiredinCIP0054RequirementR3and
useraccessandactivitylogsasrequiredinCIP0075RequirementR5arealsoincludedhere.
Referencetopriorversion:(Part4.2)CIP0054,R3.2;CIP0074,R6.2
ChangeRationale:(Part4.2)
ThisrequirementisderivedfromalertingrequirementsinCIP0054,RequirementR3.2andCIP
0074,RequirementR6.2inadditiontoNIST80053version3AU6.PreviousCIPStandards
requiredalertingonunauthorizedaccessattemptsanddetectedCyberSecurityIncidents,which
canbevastanddifficulttodeterminefromdaytoday.Changestothisrequirementallowthe
entitytodetermineeventsthatnecessitatearesponse.
Referencetopriorversion:(Part4.3)CIP0054,R3.2;CIP0074,R6.4
ChangeRationale:(Part4.3)
Nosubstantivechange.
Referencetopriorversion:(Part4.4)CIP0054,R3.2;CIP0074,R6.5
ChangeRationale:(Part4.4)
BeginninginParagraph525andalso628oftheFERCOrderNo.706,theCommissiondirectsa
manualreviewofsecurityeventlogsonamoreperiodicbasisandsuggestsaweeklyreview.
TheOrderacknowledgesitisrarelyfeasibletoreviewallsystemlogs.Indeed,logreviewisa
dynamicprocessthatshouldimproveovertimeandwithadditionalthreatinformation.
GuidelinesandTechnicalBasis
Page38of42
Changestothisrequirementallowforanapproximatelybiweeklysummaryorsamplingreview
oflogs.
RationaleforR5:
TohelpensurethatnoauthorizedindividualcangainelectronicaccesstoaBESCyberSystem
untiltheindividualhasbeenauthenticated,i.e.,untiltheindividual'slogoncredentialshave
beenvalidated.RequirementR5alsoseekstoreducetheriskthatstaticpasswords,where
usedasauthenticators,maybecompromised.
RequirementPart5.1ensurestheBESCyberSystemorCyberAssetauthenticatesindividuals
thatcanmodifyconfigurationinformation.Thisrequirementaddressestheconfigurationof
authentication.TheauthorizationofindividualsisaddressedelsewhereintheCIPCyber
SecurityStandards.Interactiveuseraccessdoesnotincludereadonlyinformationaccessin
whichtheconfigurationoftheCyberAssetcannotchange(e.g.frontpaneldisplays,webbased
reports,etc.).Fordevicesthatcannottechnicallyorforoperationalreasonsperform
authentication,anentitymaydemonstrateallinteractiveuseraccesspaths,bothremoteand
local,areconfiguredforauthentication.Physicalsecuritysufficesforlocalaccessconfiguration
ifthephysicalsecuritycanrecordwhoisinthePhysicalSecurityPerimeterandatwhattime.
RequirementPart5.2addressesdefaultandothergenericaccounttypes.Identifyingtheuseof
defaultorgenericaccounttypesthatcouldintroducevulnerabilitieshasthebenefitensuring
entitiesunderstandthepossiblerisktheseaccountsposetotheBESCyberSystem.The
RequirementPartavoidsprescribinganactiontoaddresstheseaccountsbecausethemost
effectivesolutionissituationspecific,andinsomecases,removingordisablingtheaccount
couldhavereliabilityconsequences.
RequirementPart5.3addressesidentificationofindividualswithaccesstosharedaccounts.
ThisRequirementParthastheobjectiveofmitigatingtheriskofunauthorizedaccessthrough
sharedaccounts.ThisdiffersfromotherCIPCyberSecurityStandardsRequirementsto
authorizeaccess.Anentitycanauthorizeaccessandstillnotknowwhohasaccesstoashared
account.Failuretoidentifyindividualswithaccesstosharedaccountswouldmakeitdifficultto
revokeaccesswhenitisnolongerneeded.Thetermauthorizedisusedintherequirementto
makeclearthatindividualsstoring,losing,orinappropriatelysharingapasswordisnota
violationofthisrequirement.
Requirement5.4addressesdefaultpasswords.Changingdefaultpasswordsclosesaneasily
exploitablevulnerabilityinmanysystemsandapplications.Pseudorandomlysystemgenerated
passwordsarenotconsidereddefaultpasswords.
Forpasswordbaseduserauthentication,usingstrongpasswordsandchangingthem
periodicallyhelpsmitigatetheriskofsuccessfulpasswordcrackingattacksandtheriskof
accidentalpassworddisclosuretounauthorizedindividuals.Intheserequirements,thedrafting
teamconsideredmultipleapproachestoensuringthisrequirementwasbotheffectiveand
flexibleenoughtoallowResponsibleEntitiestomakegoodsecuritydecisions.Oneofthe
approachesconsideredinvolvedrequiringminimumpasswordentropy,butthecalculationfor
GuidelinesandTechnicalBasis
Page39of42
trueinformationentropyismorehighlycomplexandmakesseveralassumptionsinthe
passwordsuserschoose.Userscanpickpoorpasswordswellbelowthecalculatedminimum
entropy.
Thedraftingteamalsochosetonotrequiretechnicalfeasibilityexceptionsfordevicesthat
cannotmeetthelengthandcomplexityrequirementsinpasswordparameters.Theobjective
ofthisrequirementistoapplyameasurablepasswordpolicytodeterpasswordcracking
attempts,andreplacingdevicestoachieveaspecifiedpasswordpolicydoesnotmeetthis
objective.Atthesametime,thisrequirementhasbeenstrengthenedtorequireaccount
lockoutoralertingforfailedloginattempts,whichinmanyinstancesbettermeetsthe
requirementobjective.
Therequirementtochangepasswordsexiststoaddresspasswordcrackingattemptsifan
encryptedpasswordweresomehowattainedandalsotorefreshpasswordswhichmayhave
beenaccidentallydisclosedovertime.Therequirementpermitstheentitytospecifythe
periodicityofchangetoaccomplishthisobjective.Specifically,thedraftingteamfelt
determiningtheappropriateperiodicitybasedonanumberoffactorsismoreeffectivethan
specifyingtheperiodforeveryBESCyberSystemintheStandard.Ingeneral,passwordsfor
userauthenticationshouldbechangedatleastannually.Theperiodicitymayincreaseinsome
cases.Forexample,applicationpasswordsthatarelongandpseudorandomlygeneratedcould
haveaverylongperiodicity.Also,passwordsusedonlyasaweakformofapplication
authentication,suchasaccessingtheconfigurationofarelaymayonlyneedtobechangedas
partofregularlyscheduledmaintenance.
TheCyberAssetshouldautomaticallyenforcethepasswordpolicyforindividualuseraccounts.
However,forsharedaccountsinwhichnomechanismexiststoenforcepasswordpolicies,the
ResponsibleEntitycanenforcethepasswordpolicyprocedurallyandthroughinternal
assessmentandaudit.
RequirementPart5.7assistsinpreventingonlinepasswordattacksbylimitingthenumberof
guessesanattackercanmake.Thisrequirementallowseitherlimitingthenumberoffailed
authenticationattemptsoralertingafteradefinednumberoffailedauthenticationattempts.
Entitiesshouldtakecautioninchoosingtolimitthenumberoffailedauthenticationattempts
forallaccountsbecausethiswouldallowthepossibilityforadenialofserviceattackontheBES
CyberSystem.
SummaryofChanges(FromR5):
CIP0074,RequirementR5.3requirestheuseofpasswordsandspecifiesaspecificpolicyofsix
charactersormorewithacombinationofalphanumericandspecialcharacters.Thelevelof
detailintheserequirementscanrestrictmoreeffectivesecuritymeasures.Forexample,many
haveinterpretedthepasswordfortokensorbiometricsmustsatisfythispolicyandinsome
casespreventstheuseofthisstrongerauthentication.Also,longerpasswordsmaypreclude
theuseofstrictcomplexityrequirements.Thepasswordrequirementshavebeenchangedto
allowtheentitytospecifythemosteffectivepasswordparametersbasedontheimpactofthe
BESCyberSystem,thewaypasswordsareused,andthesignificanceofpasswordsinrestricting
accesstothesystem.TheSDTbelievesthesechangesstrengthentheauthentication
GuidelinesandTechnicalBasis
Page40of42
mechanismbyrequiringentitiestolookatthemosteffectiveuseofpasswordsintheir
environment.Otherwise,prescribingastrictpasswordpolicyhasthepotentialtolimitthe
effectivenessofsecuritymechanismsandprecludebettermechanismsinthefuture.
Referencetopriorversion:(Part5.1)CIP0074,R5
ChangeRationale:(Part5.1)
Therequirementtoenforceauthenticationforalluseraccessisincludedhere.Therequirement
toestablish,implement,anddocumentcontrolsisincludedinthisintroductoryrequirement.
Therequirementtohavetechnicalandproceduralcontrolswasremovedbecausetechnical
controlssufficewhenproceduraldocumentationisalreadyrequired.Thephrasethatminimize
theriskofunauthorizedaccesswasremovedandmoreappropriatelycapturedintherationale
statement.
Referencetopriorversion:(Part5.2)CIP0074,R5.2andR5.2.1
ChangeRationale:(Part5.2)
CIP0074requiresentitiestominimizeandmanagethescopeandacceptableuseofaccount
privileges.Therequirementtominimizeaccountprivilegeshasbeenremovedbecausethe
implementationofsuchapolicyisdifficulttomeasureatbest.
Referencetopriorversion:(Part5.3)CIP0074,R5.2.2
ChangeRationale:(Part5.3)
Nosignificantchanges.Addedauthorizedaccesstomakeclearthatindividualsstoring,losing
orinappropriatelysharingapasswordisnotaviolationofthisrequirement.
Referencetopriorversion:(Part5.4)CIP0074,R5.2.1
ChangeRationale:(Part5.4)
Therequirementfortheremoval,disablingorrenamingofsuchaccountswherepossiblehas
beenremovedandincorporatedintoguidanceforacceptableuseofaccounttypes.Thiswas
removedbecausethoseactionsarenotappropriateonallaccounttypes.Addedtheoptionof
havinguniquedefaultpasswordstopermitcaseswhereasystemmayhavegeneratedadefault
passwordorahardcodeduniquelygenerateddefaultpasswordwasmanufacturedwiththeBES
CyberSystem.
Referencetopriorversion:(Part5.5)CIP0074,R5.3
ChangeRationale:(Part5.5)
CIP0074,RequirementR5.3requirestheuseofpasswordsandspecifiesaspecificpolicyofsix
charactersormorewithacombinationofalphanumericandspecialcharacters.Thelevelof
detailintheserequirementscanrestrictmoreeffectivesecuritymeasures.Thepassword
requirementshavebeenchangedtopermitthemaximumallowedbythedeviceincaseswhere
thepasswordparameterscouldotherwisenotachieveastricterpolicy.Thischangestill
achievestherequirementobjectivetominimizetheriskofunauthorizeddisclosureofpassword
GuidelinesandTechnicalBasis
Page41of42
credentialswhilerecognizingpasswordparametersalonedonotachievethis.Thedrafting
teamfeltallowingtheResponsibleEntitytheflexibilityofapplyingthestrictestpasswordpolicy
allowedbyadeviceoutweighedtheneedtotrackarelativelyminimallyeffectivecontrol
throughtheTFEprocess.
Referencetopriorversion:(Part5.6)CIP0074,R5.3.3
ChangeRationale:(Part5.6)
*ThiswasoriginallyRequirementR5.5.3,butmovedtoaddexternalroutableconnectivityto
mediumimpactinresponsetocomments.Thisrequirementislimitedinscopebecausetherisk
toperforminganonlinepasswordattackislessenedbyitslackofexternalroutableconnectivity.
Frequentlychangingpasswordsatfieldassetscanentailsignificanteffortwithminimalrisk
reduction.
Referencetopriorversion:(Part5.7)NewRequirement
ChangeRationale:(Part5.7)
Minimizingthenumberofunsuccessfulloginattemptssignificantlyreducestheriskoflive
passwordcrackingattempts.Thisisamoreeffectivecontrolinlivepasswordattacksthan
passwordparameters.
Version History
Version Date Action ChangeTracking
1 1/16/06
R3.2ChangeControlCenterto
controlcenter.
3/24/06
2 9/30/09 Modificationstoclarifythe
requirementsandtobringthe
complianceelementsintoconformance
withthelatestguidelinesfordeveloping
complianceelementsofstandards.
Removalofreasonablebusiness
judgment.
ReplacedtheRROwiththeREasa
responsibleentity.
RewordingofEffectiveDate.
Changedcompliancemonitorto
ComplianceEnforcementAuthority.
3 12/16/09 Updatedversionnumberfrom2to3
ApprovedbytheNERCBoardof
Trustees.
GuidelinesandTechnicalBasis
Page42of42
3 3/31/10 ApprovedbyFERC.
4 12/30/10 Modifiedtoaddspecificcriteriafor
CriticalAssetidentification.
Update
4 1/24/11 ApprovedbytheNERCBoardof
Trustees.
Update
5 11/26/12 AdoptedbytheNERCBoardof
Trustees.
Modifiedto
coordinatewith
otherCIP
standardsandto
reviseformatto
useRBS
Template.
Standard CIP0083 Cyber Security Incident Reporting and Response Planning
Approved by Board of Trustees: December 16, 2009 1
A. Introduction
1. Title: Cyber Security Incident Reporting and Response Planning
2. Number: CIP-008-3
3. Purpose: Standard CIP-008-3 ensures the identification, classification, response, and
reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-008-23
should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-
009-3.
4. Applicability
4.1. Within the text of Standard CIP-008-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-008-3:
4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 Responsible Entities that, in compliance with Standard CIP-002-3, identify that
they have no Critical Cyber Assets.
5. Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required).
B. Requirements
R1. Cyber Security Incident Response Plan The Responsible Entity shall develop and maintain a
Cyber Security Incident response plan and implement the plan in response to Cyber Security
Incidents. The Cyber Security Incident response plan shall address, at a minimum, the
following:
R1.1. Procedures to characterize and classify events as reportable Cyber Security Incidents.
R1.2. Response actions, including roles and responsibilities of Cyber Security Incident
response teams, Cyber Security Incident handling procedures, and communication
plans.
Standard CIP0083 Cyber Security Incident Reporting and Response Planning
Approved by Board of Trustees: December 16, 2009 2
R1.3. Process for reporting Cyber Security Incidents to the Electricity Sector Information
Sharing and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all
reportable Cyber Security Incidents are reported to the ES-ISAC either directly or
through an intermediary.
R1.4. Process for updating the Cyber Security Incident response plan within thirty calendar
days of any changes.
R1.5. Process for ensuring that the Cyber Security Incident response plan is reviewed at
least annually.
R1.6. Process for ensuring the Cyber Security Incident response plan is tested at least
annually. A test of the Cyber Security Incident response plan can range from a paper
drill, to a full operational exercise, to the response to an actual incident.
R2. Cyber Security Incident Documentation The Responsible Entity shall keep relevant
documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three
calendar years.
C. Measures
M1. The Responsible Entity shall make available its Cyber Security Incident response plan as
indicated in Requirement R1 and documentation of the review, updating, and testing of the
plan.
M2. The Responsible Entity shall make available all documentation as specified in Requirement
R2.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2 ERO for Regional Entity.
1.1.3 Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep documentation other than that required for
reportable Cyber Security Incidents as specified in Standard CIP-008-3 for the
previous full calendar year unless directed by its Compliance Enforcement
Standard CIP0083 Cyber Security Incident Reporting and Response Planning
Approved by Board of Trustees: December 16, 2009 3
Authority to retain specific evidence for a longer period of time as part of an
investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
1.5.1 The Responsible Entity may not take exception in its cyber security policies to
the creation of a Cyber Security Incident response plan.
1.5.2 The Responsible Entity may not take exception in its cyber security policies to
reporting Cyber Security Incidents to the ES ISAC.
2. Violation Severity Levels (To be developed later.)
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
2 Modifications to clarify the requirements
and to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authority.
3 Updated Version number from -2 to -3
In Requirement 1.6, deleted the sentence
pertaining to removing component or
system from service in order to perform
testing, in response to FERC order issued
September 30, 2009.
3 12/16/09 Approved by NERC Board of Trustees Update
Standard CIP0084 Cyber Security Incident Reporting and Res pons e Planning
1
A. Introduction
1. Title: Cyber Security Incident Reporting and Response Planning
2. Number: CIP-008-4
3. Purpose: Standard CIP-008-4 ensures the identification, classification, response, and
reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-008-4
should be read as part of a group of standards numbered Standards CIP-002-4 through CIP-
009-4.
4. Applicability
4.1. Within the text of Standard CIP-008-4, Responsible Entity shall mean:
4.1.1 Reliability Coordinator.
4.1.2 Balancing Authority.
4.1.3 Interchange Authority.
4.1.4 Transmission Service Provider.
4.1.5 Transmission Owner.
4.1.6 Transmission Operator.
4.1.7 Generator Owner.
4.1.8 Generator Operator.
4.1.9 Load Serving Entity.
4.1.10 NERC.
4.1.11 Regional Entity.
4.2. The following are exempt from Standard CIP-008-4:
4.2.1 Facilities regulated by the Canadian Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 In nuclear plants, the systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan pursuant to 10
C.F. R. Section 73.54
4.2.4 Responsible Entities that, in compliance with Standard CIP-002-4, identify that
they have no Critical Cyber Assets.
5. Effective Date: The first day of the eighth calendar quarter after applicable regulatory
approvals have been received (or the Reliability Standard otherwise becomes effective the first
day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory
approval is not required).
B. Requirements
R1. Cyber Security Incident Response Plan The Responsible Entity shall develop and maintain a
Cyber Security Incident response plan and implement the plan in response to Cyber Security
Incidents. The Cyber Security Incident response plan shall address, at a minimum, the
following:
R1.1. Procedures to characterize and classify events as reportable Cyber Security Incidents.
Standard CIP0084 Cyber Security Incident Reporting and Res pons e Planning
2
R1.2. Response actions, including roles and responsibilities of Cyber Security Incident
response teams, Cyber Security Incident handling procedures, and communication
plans.
R1.3. Process for reporting Cyber Security Incidents to the Electricity Sector Information
Sharing and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all
reportable Cyber Security Incidents are reported to the ES-ISAC either directly or
through an intermediary.
R1.4. Process for updating the Cyber Security Incident response plan within thirty calendar
days of any changes.
R1.5. Process for ensuring that the Cyber Security Incident response plan is reviewed at
least annually.
R1.6. Process for ensuring the Cyber Security Incident response plan is tested at least
annually. A test of the Cyber Security Incident response plan can range from a paper
drill, to a full operational exercise, to the response to an actual incident.
R2. Cyber Security Incident Documentation The Responsible Entity shall keep relevant
documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three
calendar years.
C. Measures
M1. The Responsible Entity shall make available its Cyber Security Incident response plan as
indicated in Requirement R1 and documentation of the review, updating, and testing of the
plan.
M2. The Responsible Entity shall make available all documentation as specified in Requirement
R2.
Standard CIP0084 Cyber Security Incident Reporting and Res pons e Planning
3
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.2. The RE shall serve as the CEA with the following exceptions:
1.2.1 For entities that do not work for the Regional Entity, the Regional Entity shall serve as the Compliance Enforcement Authority.
1.2.2 For Reliability Coordinators and other functional entities that work for their Regional Entity, the ERO shall serve as the Compliance
Enforcement Authority.
1.2.3 For Responsible Entities that are also Regional Entities, the ERO or a Regional Entity approved by the ERO and FERC or other
applicable governmental authorities shall serve as the Compliance Enforcement Authority.
1.2.4 For the ERO, a third-party monitor without vested interest in the outcome for the ERO shall serve as the Compliance Enforcement
Authority.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep documentation other than that required for reportable Cyber Security Incidents as specified in
Standard CIP-008-4 for the previous full calendar year unless directed by its Compliance Enforcement Authority to retain specific
evidence for a longer period of time as part of an investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered Entity shall keep the last audit records and all requested
and submitted subsequent audit records.
1.5. Additional Compliance Information
1.5.1 The Responsible Entity may not take exception in its cyber security policies to the creation of a Cyber Security Incident response
plan.
Standard CIP0084 Cyber Security Incident Reporting and Res pons e Planning
4
1.5.2 The Responsible Entity may not take exception in its cyber security policies to reporting Cyber Security Incidents to the ES ISAC.
2. Violation Severity Levels
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1. LOWER N/A
The Responsible Entity has
developed but not maintained a
Cyber Security Incident
response plan.
The Responsible Entity has developed a Cyber Security
Incident response plan but the plan does not address one or
more of the subrequirements R1.1 through
R1.6.
The Responsible Entity has not developed a Cyber Security
Incident response plan or has not implemented the plan in
response to a Cyber Security Incident.
R1.1. LOWER N/A N/A N/A N/A
R1.2. LOWER N/A N/A N/A N/A
R1.3. LOWER N/A N/A N/A N/A
R1.4. LOWER N/A N/A N/A N/A
R1.5. LOWER N/A N/A N/A N/A
R1.6. LOWER N/A N/A N/A N/A
R2 LOWER The Responsible Entity
has kept relevant
documentation related to
Cyber Security Incidents
reportable per
Requirement R1.1 for
two but less than three
calendar years.
The Responsible Entity has kept
relevant documentation related
to Cyber Security Incidents
reportable per Requirement R1.1
for less than two calendar years.
The Responsible Entity has kept relevant documentation
related to Cyber Security Incidents reportable per
Requirement R1.1 for less than one calendar year.
The Responsible Entity has not kept relevant documentation
related to Cyber Security Incidents reportable per Requirement
R1.1.
Standard CIP0084 Cyber Security Incident Reporting and Res pons e Planning
5
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
2 Modifications to clarify the requirements
and to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Changed compliance monitor to
Compliance Enforcement Authority.
3 Updated Version number from -2 to -3
In Requirement 1.6, deleted the sentence
pertaining to removing component or
system from service in order to perform
testing, in response to FERC order issued
September 30, 2009.
3 12/16/09 Approved by NERC Board of Trustees Update
4 Board approved
01/24/2011
Update version number from 3 to 4 Update to conform to
changes to CIP-002-4
(Project 2008-06)
4 4/19/12 FERC Order issued approving CIP-008-4
(approval becomes effective June 25, 2012)
Added approved VRF/VSL table to section
D.2.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page1of24
A. I ntroduction
1. Title: CyberSecurityIncidentReportingandResponsePlanning
2. Number: CIP0085
3. Purpose: TomitigatetherisktothereliableoperationoftheBESastheresultofa
CyberSecurityIncidentbyspecifyingincidentresponserequirements.
4. Applicability:
4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,the
followinglistoffunctionalentitieswillbecollectivelyreferredtoasResponsible
Entities.Forrequirementsinthisstandardwhereaspecificfunctionalentityor
subsetoffunctionalentitiesaretheapplicableentityorentities,thefunctionalentity
orentitiesarespecifiedexplicitly.
4.1.1 BalancingAuthority
4.1.2 DistributionProviderthatownsoneormoreofthefollowingFacilities,systems,
andequipmentfortheprotectionorrestorationoftheBES:
4.1.2.1 EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding
(UVLS)systemthat:
4.1.2.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.1.2.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.1.2.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.1.2.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.1.2.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.1.3 GeneratorOperator
4.1.4 GeneratorOwner
4.1.5 InterchangeCoordinatororInterchangeAuthority
4.1.6 ReliabilityCoordinator
4.1.7 TransmissionOperator
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page2of24
4.1.8 TransmissionOwner
4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowing
Facilities,systems,andequipmentownedbyeachResponsibleEntityin4.1above
arethosetowhichtheserequirementsareapplicable.Forrequirementsinthis
standardwhereaspecifictypeofFacilities,system,orequipmentorsubsetof
Facilities,systems,andequipmentareapplicable,thesearespecifiedexplicitly.
4.2.1 DistributionProvider:OneormoreofthefollowingFacilities,systemsand
equipmentownedbytheDistributionProviderfortheprotectionorrestoration
oftheBES:
4.2.1.1 EachUFLSorUVLSSystemthat:
4.2.1.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.2.1.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.2.1.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.2.1.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.2.1.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.2.2 ResponsibleEntitieslistedin4.1otherthanDistributionProviders:
AllBESFacilities.
4.2.3 Exemptions:ThefollowingareexemptfromStandardCIP0085:
4.2.3.1 CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafety
Commission.
4.2.3.2 CyberAssetsassociatedwithcommunicationnetworksanddata
communicationlinksbetweendiscreteElectronicSecurityPerimeters.
4.2.3.3 Thesystems,structures,andcomponentsthatareregulatedbytheNuclear
RegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.
Section73.54.
4.2.3.4 ForDistributionProviders,thesystemsandequipmentthatarenotincluded
insection4.2.1above.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page3of24
4.2.3.5 ResponsibleEntitiesthatidentifythattheyhavenoBESCyberSystems
categorizedashighimpactormediumimpactaccordingtotheCIP0025
identificationandcategorizationprocesses.
5.EffectiveDates:
1.24MonthsMinimumCIP0085shallbecomeeffectiveonthelaterofJuly1,
2015,orthefirstcalendardayoftheninthcalendarquarteraftertheeffective
dateoftheorderprovidingapplicableregulatoryapproval.
2.Inthosejurisdictionswherenoregulatoryapprovalisrequired,CIP0085shall
becomeeffectiveonthefirstdayoftheninthcalendarquarterfollowingBoardof
Trusteesapproval,orasotherwisemadeeffectivepursuanttothelaws
applicabletosuchEROgovernmentalauthorities.
6.Background:
StandardCIP0085existsaspartofasuiteofCIPStandardsrelatedtocybersecurity.
CIP0025requirestheinitialidentificationandcategorizationofBESCyberSystems.
CIP0035,CIP0045,CIP0055,CIP0065,CIP0075,CIP0085,CIP0095,CIP0101,
andCIP0111requireaminimumleveloforganizational,operational,andprocedural
controlstomitigaterisktoBESCyberSystems.ThissuiteofCIPStandardsisreferred
toastheVersion5CIPCyberSecurityStandards.
Mostrequirementsopenwith,EachResponsibleEntityshallimplementoneormore
documented[processes,plan,etc]thatincludetheapplicableitemsin[Table
Reference].Thereferencedtablerequirestheapplicableitemsintheproceduresfor
therequirementscommonsubjectmatter.
Thetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictothe
ResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyany
particularnamingorapprovalstructurebeyondwhatisstatedintherequirements.
Anentityshouldincludeasmuchasitbelievesnecessaryintheirdocumented
processes,buttheymustaddresstheapplicablerequirementsinthetable.
Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesses
whereitmakessenseandiscommonlyunderstood.Forexample,documented
processesdescribingaresponsearetypicallyreferredtoasplans(i.e.,incident
responseplansandrecoveryplans).Likewise,asecurityplancandescribean
approachinvolvingmultipleprocedurestoaddressabroadsubjectmatter.
Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationof
itspolicies,plansandproceduresinvolvingasubjectmatter.Examplesinthe
standardsincludethepersonnelriskassessmentprogramandthepersonneltraining
program.ThefullimplementationoftheCIPCyberSecurityStandardscouldalsobe
referredtoasaprogram.However,thetermsprogramandplandonotimplyany
additionalrequirementsbeyondwhatisstatedinthestandards.
ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsfor
multiplehighandmediumimpactBESCyberSystems.Forexample,asingletraining
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page4of24
programcouldmeettherequirementsfortrainingpersonnelacrossmultipleBES
CyberSystems.
Measuresfortheinitialrequirementaresimplythedocumentedprocesses
themselves.Measuresinthetablerowsprovideexamplesofevidencetoshow
documentationandimplementationofapplicableitemsinthedocumentedprocesses.
Thesemeasuresservetoprovideguidancetoentitiesinacceptablerecordsof
complianceandshouldnotbeviewedasanallinclusivelist.
Throughoutthestandards,unlessotherwisestated,bulleteditemsinthe
requirementsandmeasuresareitemsthatarelinkedwithanor,andnumbered
itemsareitemsthatarelinkedwithanand.
ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSand
UVLS.Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion
1oftheCIPCyberSecurityStandards.Thethresholdremainsat300MWsinceitis
specificallyaddressingUVLSandUFLS,whicharelastditcheffortstosavetheBulk
ElectricSystem.AreviewofUFLStolerancesdefinedwithinregionalreliability
standardsforUFLSprogramrequirementstodateindicatesthatthehistoricalvalueof
300MWrepresentsanadequateandreasonablethresholdvalueforallowableUFLS
operationaltolerances.
ApplicableSystemsColumnsinTables:
EachtablehasanApplicableSystemscolumntofurtherdefinethescopeofsystems
towhichaspecificrequirementrowapplies.TheCSO706SDTadaptedthisconcept
fromtheNationalInstituteofStandardsandTechnology(NIST)RiskManagement
Frameworkasawayofapplyingrequirementsmoreappropriatelybasedonimpact
andconnectivitycharacteristics.Thefollowingconventionsareusedinthe
ApplicableSystemscolumnasdescribed.
HighImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedas
highimpactaccordingtotheCIP0025identificationandcategorization
processes.
MediumImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedas
mediumimpactaccordingtotheCIP0025identificationandcategorization
processes.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page5of24
B. Requirements and Measures
R1. EachResponsibleEntityshalldocumentoneormoreCyberSecurityIncidentresponseplan(s)thatcollectivelyincludeeach
oftheapplicablerequirementpartsinCIP0085TableR1CyberSecurityIncidentResponsePlanSpecifications.[Violation
RiskFactor:Lower][TimeHorizon:LongTermPlanning].
M1. Evidencemustincludeeachofthedocumentedplan(s)thatcollectivelyincludeeachoftheapplicablerequirementpartsin
CIP0085TableR1CyberSecurityIncidentResponsePlanSpecifications.
CIP0085TableR1CyberSecurityIncidentResponsePlanSpecifications
Part ApplicableSystems Requirements Measures
1.1 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
Oneormoreprocessestoidentify,
classify,andrespondtoCyber
SecurityIncidents.
Anexampleofevidencemayinclude,
butisnotlimitedto,dated
documentationofCyberSecurity
Incidentresponseplan(s)thatinclude
theprocesstoidentify,classify,and
respondtoCyberSecurityIncidents.
1.2 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
Oneormoreprocessestodetermine
ifanidentifiedCyberSecurityIncident
isaReportableCyberSecurity
IncidentandnotifytheElectricity
SectorInformationSharingand
AnalysisCenter(ESISAC),unless
prohibitedbylaw.Initialnotification
totheESISAC,whichmaybeonlya
preliminarynotice,shallnotexceed
onehourfromthedeterminationofa
ReportableCyberSecurityIncident.
Examplesofevidencemayinclude,
butarenotlimitedto,dated
documentationofCyberSecurity
Incidentresponseplan(s)thatprovide
guidanceorthresholdsfor
determiningwhichCyberSecurity
IncidentsarealsoReportableCyber
SecurityIncidentsanddocumentation
ofinitialnoticestotheElectricity
SectorInformationSharingand
AnalysisCenter(ESISAC).
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page6of24
CIP0085TableR1CyberSecurityIncidentResponsePlanSpecifications
Part ApplicableSystems Requirements Measures
1.3 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
TherolesandresponsibilitiesofCyber
SecurityIncidentresponsegroupsor
individuals.
Anexampleofevidencemayinclude,
butisnotlimitedto,datedCyber
SecurityIncidentresponseprocess(es)
orprocedure(s)thatdefinerolesand
responsibilities(e.g.,monitoring,
reporting,initiating,documenting,
etc.)ofCyberSecurityIncident
responsegroupsorindividuals.
1.4 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
Incidenthandlingproceduresfor
CyberSecurityIncidents.
Anexampleofevidencemayinclude,
butisnotlimitedto,datedCyber
SecurityIncidentresponseprocess(es)
orprocedure(s)thataddressincident
handling(e.g.,containment,
eradication,recovery/incident
resolution).
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page7of24
R2. EachResponsibleEntityshallimplementeachofitsdocumentedCyberSecurityIncidentresponseplanstocollectively
includeeachoftheapplicablerequirementpartsinCIP0085TableR2CyberSecurityIncidentResponsePlan
ImplementationandTesting.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanningandRealTime
Operations].
M2. Evidencemustinclude,butisnotlimitedto,documentationthatcollectivelydemonstratesimplementationofeachof
theapplicablerequirementpartsinCIP0085TableR2CyberSecurityIncidentResponsePlanImplementationand
Testing.
CIP0085TableR2CyberSecurityIncidentResponsePlanImplementationandTesting
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
TesteachCyberSecurityIncident
responseplan(s)atleastonceevery
15calendarmonths:
Byrespondingtoanactual
ReportableCyberSecurity
Incident;
Withapaperdrillortabletop
exerciseofaReportableCyber
SecurityIncident;or
Withanoperationalexerciseofa
ReportableCyberSecurity
Incident.
Examplesofevidencemayinclude,
butarenotlimitedto,datedevidence
ofalessonslearnedreportthat
includesasummaryofthetestora
compilationofnotes,logs,and
communicationresultingfromthe
test.Typesofexercisesmayinclude
discussionoroperationsbased
exercises.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page8of24
CIP0085TableR2CyberSecurityIncidentResponsePlanImplementationandTesting
Part ApplicableSystems Requirements Measures
2.2 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
UsetheCyberSecurityIncident
responseplan(s)underRequirement
R1whenrespondingtoaReportable
CyberSecurityIncidentorperforming
anexerciseofaReportableCyber
SecurityIncident.Document
deviationsfromtheplan(s)taken
duringtheresponsetotheincidentor
exercise.
Examplesofevidencemayinclude,
butarenotlimitedto,incident
reports,logs,andnotesthatwere
keptduringtheincidentresponse
process,andfollowup
documentationthatdescribes
deviationstakenfromtheplanduring
theincidentorexercise.
2.3 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
RetainrecordsrelatedtoReportable
CyberSecurityIncidents.
Anexampleofevidencemayinclude,
butisnotlimitedto,dated
documentation,suchassecuritylogs,
policereports,emails,responseforms
orchecklists,forensicanalysisresults,
restorationrecords,andpostincident
reviewnotesrelatedtoReportable
CyberSecurityIncidents.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page9of24
R3. EachResponsibleEntityshallmaintaineachofitsCyberSecurityIncidentresponseplansaccordingtoeachofthe
applicablerequirementpartsinCIP0085TableR3CyberSecurityIncidentResponsePlanReview,Update,and
Communication.[ViolationRiskFactor:Lower][TimeHorizon:OperationsAssessment].
M3. Evidencemustinclude,butisnotlimitedto,documentationthatcollectivelydemonstratesmaintenanceofeachCyber
SecurityIncidentresponseplanaccordingtotheapplicablerequirementpartsinCIP0085TableR3CyberSecurity
Incident.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page10of24
CIP0085TableR3CyberSecurityIncidentResponsePlan
Review,Update,andCommunication
Part ApplicableSystems Requirements Measures
3.1 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
Nolaterthan90calendardaysafter
completionofaCyberSecurityIncident
responseplan(s)testoractual
ReportableCyberSecurityIncident
response:
3.1.1. Documentanylessonslearned
ordocumenttheabsenceof
anylessonslearned;
3.1.2. UpdatetheCyberSecurity
Incidentresponseplanbased
onanydocumentedlessons
learnedassociatedwiththe
plan;and
3.1.3. Notifyeachpersonorgroup
withadefinedroleintheCyber
SecurityIncidentresponseplan
oftheupdatestotheCyber
SecurityIncidentresponseplan
basedonanydocumented
lessonslearned.
Anexampleofevidencemayinclude,
butisnotlimitedto,allofthe
following:
1. Dateddocumentationofpost
incident(s)reviewmeetingnotes
orfollowupreportshowing
lessonslearnedassociatedwith
theCyberSecurityIncident
responseplan(s)testoractual
ReportableCyberSecurityIncident
responseordateddocumentation
statingtherewerenolessons
learned;
2. DatedandrevisedCyberSecurity
Incidentresponseplanshowing
anychangesbasedonthelessons
learned;and
3. Evidenceofplanupdate
distributionincluding,butnot
limitedto:
Emails;
USPSorothermailservice;
Electronicdistributionsystem;
or
Trainingsigninsheets.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page11of24
CIP0085TableR3CyberSecurityIncidentResponsePlan
Review,Update,andCommunication
Part ApplicableSystems Requirements Measures
3.2 HighImpactBESCyberSystems
MediumImpactBESCyberSystems
Nolaterthan60calendardaysaftera
changetotherolesorresponsibilities,
CyberSecurityIncidentresponse
groupsorindividuals,ortechnology
thattheResponsibleEntitydetermines
wouldimpacttheabilitytoexecutethe
plan:
3.2.1. UpdatetheCyberSecurity
Incidentresponseplan(s);and
3.2.2. Notifyeachpersonorgroup
withadefinedroleintheCyber
SecurityIncidentresponseplan
oftheupdates.
Anexampleofevidencemayinclude,
butisnotlimitedto:
1. DatedandrevisedCyber
SecurityIncidentresponseplan
withchangestotherolesor
responsibilities,respondersor
technology;and
2. Evidenceofplanupdate
distributionincluding,butnot
limitedto:
Emails;
USPSorothermailservice;
Electronicdistribution
system;or
Trainingsigninsheets.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page12of24
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)unlessthe
applicableentityisowned,operated,orcontrolledbytheRegionalEntity.InsuchcasestheERO
oraRegionalEntityapprovedbyFERCorotherapplicablegovernmentalauthorityshallserveas
theCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityisrequiredto
retainspecificevidencetodemonstratecompliance.Forinstanceswheretheevidence
retentionperiodspecifiedbelowisshorterthanthetimesincethelastaudit,theCEAmayask
anentitytoprovideotherevidencetoshowthatitwascompliantforthefulltimeperiodsince
thelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceasidentifiedbelow
unlessdirectedbyitsCEAtoretainspecificevidenceforalongerperiodoftimeaspartofan
investigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthisstandardforthree
calendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformationrelatedtothenon
complianceuntilmitigationiscompleteandapprovedorforthetimespecifiedabove,
whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmittedsubsequentaudit
records.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page13of24
2.TableofComplianceElements
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0085)
LowerVSL ModerateVSL HighVSL SevereVSL
R1 LongTerm
Planning
Lower
TheResponsibleEntity
hasnotdevelopeda
CyberSecurity
Incidentresponseplan
withoneormore
processestoidentify,
classify,andrespond
toCyberSecurity
Incidents.(1.1)
OR
TheResponsibleEntity
hasdevelopedaCyber
SecurityIncident
responseplan,butthe
plandoesnotinclude
oneormore
processestoidentify
ReportableCyber
SecurityIncidents.
(1.2)
OR
TheResponsibleEntity
hasdevelopedaCyber
SecurityIncident
responseplan,butdid
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page14of24
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0085)
LowerVSL ModerateVSL HighVSL SevereVSL
notprovideatleast
preliminary
notificationtoESISAC
withinonehourfrom
identificationofa
ReportableCyber
SecurityIncident.(1.2)
R2 Operations
Planning
Realtime
Operations
Lower TheResponsibleEntity
hasnottestedthe
CyberSecurity
Incidentresponse
plan(s)within15
calendarmonths,not
exceeding16calendar
monthsbetweentests
oftheplan.(2.1)
TheResponsibleEntity
hasnottestedthe
CyberSecurity
Incidentresponse
plan(s)within16
calendarmonths,not
exceeding17calendar
monthsbetweentests
oftheplan.(2.1)
TheResponsibleEntity
hasnottestedthe
CyberSecurity
Incidentresponse
plan(s)within17
calendarmonths,not
exceeding18calendar
monthsbetweentests
oftheplan.(2.1)
OR
TheResponsibleEntity
didnotdocument
deviations,ifany,
fromtheplanduringa
testorwhena
ReportableCyber
SecurityIncident
occurs.(2.2)
TheResponsibleEntity
hasnottestedthe
CyberSecurity
Incidentresponse
plan(s)within19
calendarmonths
betweentestsofthe
plan.(2.1)
OR
TheResponsibleEntity
didnotretainrelevant
recordsrelatedto
ReportableCyber
SecurityIncidents.
(2.3)
R3 Operations
Assessment
Lower
TheResponsibleEntity
hasnotnotifiedeach
personorgroupwith
TheResponsibleEntity
hasnotupdatedthe
TheResponsibleEntity
hasneither
TheResponsibleEntity
hasneither
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page15of24
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0085)
LowerVSL ModerateVSL HighVSL SevereVSL
adefinedroleinthe
CyberSecurity
Incidentresponse
planofupdatestothe
CyberSecurity
Incidentresponse
planwithingreater
than90butlessthan
120calendardaysofa
testoractualincident
responsetoa
ReportableCyber
SecurityIncident.
(3.1.3)
CyberSecurity
Incidentresponseplan
basedonany
documentedlessons
learnedwithin90and
lessthan120calendar
daysofatestoractual
incidentresponsetoa
ReportableCyber
SecurityIncident.
(3.1.2)
OR
TheResponsibleEntity
hasnotnotifiedeach
personorgroupwitha
definedroleinthe
CyberSecurity
Incidentresponseplan
ofupdatestothe
CyberSecurity
Incidentresponseplan
within120calendar
daysofatestoractual
incidentresponsetoa
ReportableCyber
SecurityIncident.
(3.1.3)
OR
documentedlessons
learnednor
documentedthe
absenceofanylessons
learnedwithin90and
lessthan120calendar
daysofatestoractual
incidentresponsetoa
ReportableCyber
SecurityIncident.
(3.1.1)
OR
TheResponsibleEntity
hasnotupdatedthe
CyberSecurity
Incidentresponseplan
basedonany
documentedlessons
learnedwithin120
calendardaysofatest
oractualincident
responsetoa
ReportableCyber
SecurityIncident.
(3.1.2)
OR
TheResponsibleEntity
hasnotupdatedthe
documentedlessons
learnednor
documentedthe
absenceofany
lessonslearnedwithin
120calendardaysofa
testoractualincident
responsetoa
ReportableCyber
SecurityIncident.
(3.1.1)
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page16of24
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0085)
LowerVSL ModerateVSL HighVSL SevereVSL
TheResponsibleEntity
hasnotupdatedthe
CyberSecurity
Incidentresponse
plan(s)ornotified
eachpersonorgroup
withadefinedrole
within60andless
than90calendardays
ofanyofthefollowing
changesthatthe
responsibleentity
determineswould
impacttheabilityto
executetheplan:(3.2)
Rolesor
responsibilities,or
CyberSecurity
Incidentresponse
groupsorindividuals,
or
Technology
changes.
CyberSecurity
Incidentresponse
plan(s)ornotified
eachpersonorgroup
withadefinedrole
within90calendar
daysofanyofthe
followingchangesthat
theresponsibleentity
determineswould
impacttheabilityto
executetheplan:(3.2)
Rolesor
responsibilities,or
CyberSecurity
Incidentresponse
groupsorindividuals,
or
Technology
changes.
CIP0085CyberSecurityIncidentReportingandResponsePlanning
Page17of24
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
GuidelinesandTechnicalBasis
Page18of24
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
Thefollowingguidelinesareavailabletoassistinaddressingtherequiredcomponentsofa
CyberSecurityIncidentresponseplan:
DepartmentofHomelandSecurity,ControlSystemsSecurityProgram,Developingan
IndustrialControlSystemsCyberSecurityIncidentResponseCapability,2009,onlineat
http://www.uscert.gov/control_systems/practices/documents/final
RP_ics_cybersecurity_incident_response_100609.pdf
NationalInstituteofStandardsandTechnology,ComputerSecurityIncidentHandling
Guide,SpecialPublication80061revision1,March2008,onlineat
http://csrc.nist.gov/publications/nistpubs/80061rev1/SP80061rev1.pdf
ForPart1.2,aReportableCyberSecurityIncidentisaCyberSecurityIncidentthathas
compromisedordisruptedoneormorereliabilitytasksofafunctionalentity.Itishelpfulto
distinguishReportableCyberSecurityIncidentsasoneresultinginanecessaryresponseaction.
Aresponseactioncanfallintooneoftwocategories:Necessaryorelective.Thedistinguishing
characteristiciswhetherornotactionwastakeninresponsetoanevent.Precautionary
measuresthatarenotinresponsetoanypersistentdamageoreffectsmaybedesignatedas
elective.Allotherresponseactionstoavoidanypersistentdamageoradverseeffects,which
includetheactivationofredundantsystems,shouldbedesignatedasnecessary.
GuidelinesandTechnicalBasis
Page19of24
ThereportingobligationsforReportableCyberSecurityIncidentsrequireatleastapreliminary
noticetotheESISACwithinonehourafterdeterminingthataCyberSecurityIncidentis
reportable(notwithinonehouroftheCyberSecurityIncident,animportantdistinction).This
additionisinresponsetothedirectiveaddressingthisissueinFERCOrderNo.706,paragraphs
673and676,toreportwithinonehour(atleastpreliminarily).Thisstandarddoesnotrequire
acompletereportwithinanhourofdeterminingthataCyberSecurityIncidentisreportable,
butatleastpreliminarynotice,whichmaybeaphonecall,anemail,orsendingaWebbased
notice.Thestandarddoesnotrequireaspecifictimeframeforcompletingthefullreport.
RequirementR2:
RequirementR2ensuresentitiesperiodicallytesttheCyberSecurityIncidentresponseplan.
ThisincludestherequirementinPart2.2toensuretheplanisactuallyusedwhentesting.The
testingrequirementsarespecificallyforReportableCyberSecurityIncidents.
EntitiesmayuseanactualresponsetoaReportableCyberSecurityIncidentasasubstitutefor
exercisingtheplanannually.Otherwise,entitiesmustexercisetheplanwithapaperdrill,
tabletopexercise,orfulloperationalexercise.Formorespecifictypesofexercises,refertothe
FEMAHomelandSecurityExerciseandEvaluationProgram(HSEEP).Itliststhefollowingfour
typesofdiscussionbasedexercises:seminar,workshop,tabletop,andgames.Inparticular,it
definesthat,Atabletopexerciseinvolveskeypersonneldiscussingsimulatedscenariosinan
informalsetting.Tabletopexercises(TTX)canbeusedtoassessplans,policies,and
procedures.
TheHSEEPliststhefollowingthreetypesofoperationsbasedexercises:Drill,functional
exercise,andfullscaleexercise.Itdefinesthat,[A]fullscaleexerciseisamultiagency,multi
jurisdictional,multidisciplineexerciseinvolvingfunctional(e.g.,jointfieldoffice,Emergency
operationcenters,etc.)andbootsonthegroundresponse(e.g.,firefightersdecontaminating
mockvictims).
Inadditiontotherequirementstoimplementtheresponseplan,Part2.3specifiesentitiesmust
retainrelevantrecordsforReportableCyberSecurityIncidents.Thereareseveralexamplesof
specifictypesofevidencelistedinthemeasure.Entitiesshouldrefertotheirhandling
procedurestodeterminethetypesofevidencetoretainandhowtotransportandstorethe
evidence.Forfurtherinformationinretainingincidentrecords,refertotheNISTGuideto
IntegratingForensicTechniquesintoIncidentResponse(SP80086).TheNISTguidelineincludes
asection(Section3.1.2)onacquiringdatawhenperformingforensics.
RequirementR3:
ThisrequirementensuresentitiesmaintainCyberSecurityIncidentresponseplans.Thereare
tworequirementpartsthattriggerplanupdates:(1)lessonslearnedfromPart3.1and(2)
organizationalortechnologychangesfromPart3.2.
ThedocumentationoflessonslearnedfromPart3.1isassociatedwitheachReportableCyber
SecurityIncidentandinvolvestheactivitiesasillustratedinFigure1,below.Thedeadlineto
documentlessonslearnedstartsafterthecompletionoftheincidentinrecognitionthat
complexincidentsoncomplexsystemscantakeafewdaysorweekstocompleteresponse
GuidelinesandTechnicalBasis
Page20of24
activities.Theprocessofconductinglessonslearnedcaninvolvetheresponseteamdiscussing
theincidenttodeterminegapsorareasofimprovementwithintheplan.Anydocumented
deviationsfromtheplanfromPart2.2canserveasinputtothelessonslearned.Itispossible
tohaveaReportableCyberSecurityIncidentwithoutanydocumentedlessonslearned.Insuch
cases,theentitymustretaindocumentationoftheabsenceofanylessonslearnedassociated
withtheReportableCyberSecurityIncident.
Figure 1: CIP-008-5 R3 Timeline for Reportable Cyber Security Incidents
Theactivitiesnecessarytocompletethelessonslearnedincludeupdatingtheplanand
distributingthoseupdates.Entitiesshouldconsidermeetingwithalloftheindividualsinvolved
intheincidentanddocumentingthelessonslearnedassoonaftertheincidentaspossible.This
allowsmoretimeformakingeffectiveupdatestotheplan,obtaininganynecessaryapprovals,
anddistributingthoseupdatestotheincidentresponseteam.
TheplanchangerequirementinPart3.2isassociatedwithorganizationandtechnology
changesreferencedintheplanandinvolvestheactivitiesillustratedinFigure2,below.
Organizationalchangesincludechangestotherolesandresponsibilitiespeoplehaveintheplan
orchangestotheresponsegroupsorindividuals.Thismayincludechangestothenamesor
contactinformationlistedintheplan.Technologychangesaffectingtheplanmayinclude
referencedinformationsources,communicationsystemsorticketingsystems.
Figure 2: Timeline for Plan Changes in 3.2
GuidelinesandTechnicalBasis
Page21of24
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
TheimplementationofaneffectiveCyberSecurityIncidentresponseplanmitigatestheriskto
thereliableoperationoftheBEScausedastheresultofaCyberSecurityIncidentandprovides
feedbacktoResponsibleEntitiesforimprovingthesecuritycontrolsapplyingtoBESCyber
Systems.Preventativeactivitiescanlowerthenumberofincidents,butnotallincidentscanbe
prevented.Apreplannedincidentresponsecapabilityisthereforenecessaryforrapidly
detectingincidents,minimizinglossanddestruction,mitigatingtheweaknessesthatwere
exploited,andrestoringcomputingservices.Anenterpriseorsingleincidentresponseplanfor
allBESCyberSystemsmaybeusedtomeettheRequirement.Anorganizationmayhavea
commonplanformultipleregisteredentitiesitowns.
SummaryofChanges:Wordingchangeshavebeenincorporatedbasedprimarilyonindustry
feedbacktomorespecificallydescriberequiredactions.
Referencetopriorversion:(Part1.1)CIP008,R1.1
ChangeDescriptionandJustification:(Part1.1)
Characterizehasbeenchangedtoidentifyforclarity.Responseactionshasbeenchanged
torespondtoforclarity.
Referencetopriorversion:(Part1.2)CIP008,R1.1
ChangeDescriptionandJustification:(Part1.2)
AddressesthereportingrequirementsfrompreviousversionsofCIP008.Thisrequirementpart
onlyobligatesentitiestohaveaprocessfordeterminingReportableCyberSecurityIncidents.
AlsoaddressesthedirectiveinFERCOrderNo.706,paragraphs673and676toreportwithin
onehour(atleastpreliminarily).
Referencetopriorversion:(Part1.3)CIP008,R1.2
ChangeDescriptionandJustification:(Part1.3)
Replacedincidentresponseteamswithincidentresponsegroupsorindividualstoavoidthe
interpretationthatrolesandresponsibilitiessectionsmustreferencespecificteams.
Referencetopriorversion:(Part1.4)CIP008,R1.2
ChangeDescriptionandJustification:(Part1.4)
ConformingchangetoreferencenewdefinedtermCyberSecurityIncidents.
GuidelinesandTechnicalBasis
Page22of24
RationaleforR2:
TheimplementationofaneffectiveCyberSecurityIncidentresponseplanmitigatestheriskto
thereliableoperationoftheBEScausedastheresultofaCyberSecurityIncidentandprovides
feedbacktoResponsibleEntitiesforimprovingthesecuritycontrolsapplyingtoBESCyber
Systems.Thisrequirementensuresimplementationoftheresponseplans.RequirementPart
2.3ensurestheretentionofincidentdocumentationforposteventanalysis.
ThisrequirementobligatesentitiestofollowtheCyberSecurityIncidentresponseplanwhenan
incidentoccursorwhentesting,butdoesnotrestrictentitiesfromtakingneededdeviations
fromtheplan.Itensurestheplanrepresentstheactualresponseanddoesnotexistfor
documentationonly.Ifaplaniswrittenatahighenoughlevel,theneveryactionduringthe
responseshouldnotbesubjecttoscrutiny.Theplanwilllikelyallowfortheappropriate
varianceintacticaldecisionsmadebyincidentresponders.Deviationsfromtheplancanbe
documentedduringtheincidentresponseorafterwardaspartofthereview.
SummaryofChanges:AddedtestingrequirementstoverifytheResponsibleEntitysresponse
planseffectivenessandconsistentapplicationinrespondingtoaCyberSecurityIncident(s)
impactingaBESCyberSystem.
Referencetopriorversion:(Part2.1)CIP008,R1.6
ChangeDescriptionandJustification:(Part2.1)
Minorwordingchanges;essentiallyunchanged.
Referencetopriorversion:(Part2.2)CIP008,R1.6
ChangeDescriptionandJustification:(Part2.2)
Allowsdeviationfromplan(s)duringactualeventsortestingifdeviationsarerecordedfor
review.
Referencetopriorversion:(Part2.3)CIP008,R2
ChangeDescriptionandJustification:(Part2.3)
RemovedreferencestotheretentionperiodbecausetheStandardaddressesdataretentionin
theComplianceSection.
RationaleforR3:
Conductsufficientreviews,updatesandcommunicationstoverifytheResponsibleEntitys
responseplanseffectivenessandconsistentapplicationinrespondingtoaCyberSecurity
Incident(s)impactingaBESCyberSystem.Aseparateplanisnotrequiredforthoserequirement
partsofthetableapplicabletoHighorMediumImpactBESCyberSystems.Ifanentityhasa
singleCyberSecurityIncidentresponseplanandHighorMediumImpactBESCyberSystems,
thentheadditionalrequirementswouldapplytothesingleplan.
SummaryofChanges:ChangeshereaddresstheFERCOrder706,Paragraph686,which
includesadirectivetoperformafteractionreviewfortestsoractualincidentsandupdatethe
GuidelinesandTechnicalBasis
Page23of24
planbasedonlessonslearned.Additionalchangesincludespecificationofwhatitmeansto
reviewtheplanandspecificationofchangesthatwouldrequireanupdatetotheplan.
Referencetopriorversion:(Part3.1)CIP008,R1.5
ChangeDescriptionandJustification:(Part3.1)
AddressesFERCOrder706,Paragraph686todocumenttestoractualincidentsandlessons
learned.
Referencetopriorversion:(Part3.2)CIP008,R1.4
ChangeDescriptionandJustification:(Part3.2)
Specifiestheactivitiesrequiredtomaintaintheplan.Thepreviousversionrequiredentitiesto
updatetheplaninresponsetoanychanges.Themodificationsmakeclearthechangesthat
wouldrequireanupdate.
Version History
Version Date Action ChangeTracking
1 1/16/06
R3.2ChangeControlCenterto
controlcenter.
3/24/06
2 9/30/09 Modificationstoclarifythe
requirementsandtobringthe
complianceelementsintoconformance
withthelatestguidelinesfordeveloping
complianceelementsofstandards.
Removalofreasonablebusiness
judgment.
ReplacedtheRROwiththeREasa
ResponsibleEntity.
RewordingofEffectiveDate.
Changedcompliancemonitorto
ComplianceEnforcementAuthority.
3 Updatedversionnumberfrom2to3
InRequirement1.6,deletedthe
sentencepertainingtoremoving
componentorsystemfromservicein
ordertoperformtesting,inresponseto
FERCorderissuedSeptember30,2009.
3 12/16/09 ApprovedbytheNERCBoardof
Trustees.
Update
3 3/31/10 ApprovedbyFERC.
GuidelinesandTechnicalBasis
Page24of24
4 12/30/10 Modifiedtoaddspecificcriteriafor
CriticalAssetidentification.
Update
4 1/24/11 ApprovedbytheNERCBoardof
Trustees.
Update
5 11/26/12 AdoptedbytheNERCBoardof
Trustees.
Modifiedto
coordinatewith
otherCIP
standardsandto
reviseformatto
useRBS
Template.
Standard CIP0093 Cyber Security Recovery Plans for Critical Cyber Assets
Approved by Board of Trustees: December 16, 2009 1
A. Introduction
1. Title: Cyber Security Recovery Plans for Critical Cyber Assets
2. Number: CIP-009-3
3. Purpose: Standard CIP-009-3 ensures that recovery plan(s) are put in place for Critical
Cyber Assets and that these plans follow established business continuity and disaster recovery
techniques and practices. Standard CIP-009-3 should be read as part of a group of standards
numbered Standards CIP-002-3 through CIP-009-3.
4. Applicability:
4.1. Within the text of Standard CIP-009-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator
4.1.2 Balancing Authority
4.1.3 Interchange Authority
4.1.4 Transmission Service Provider
4.1.5 Transmission Owner
4.1.6 Transmission Operator
4.1.7 Generator Owner
4.1.8 Generator Operator
4.1.9 Load Serving Entity
4.1.10 NERC
4.1.11 Regional Entity
4.2. The following are exempt from Standard CIP-009-3:
4.2.1 Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian
Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 Responsible Entities that, in compliance with Standard CIP-002-3, identify that
they have no Critical Cyber Assets.
5. Effective Date: The first day of the third calendar quarter after applicable regulatory approvals
have been received (or the Reliability Standard otherwise becomes effective the first day of the
third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is
not required).
B. Requirements
R1. Recovery Plans The Responsible Entity shall create and annually review recovery plan(s)
for Critical Cyber Assets. The recovery plan(s) shall address at a minimum the following:
R1.1. Specify the required actions in response to events or conditions of varying duration
and severity that would activate the recovery plan(s).
R1.2. Define the roles and responsibilities of responders.
R2. Exercises The recovery plan(s) shall be exercised at least annually. An exercise of the
recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an
actual incident.
Standard CIP0093 Cyber Security Recovery Plans for Critical Cyber Assets
Approved by Board of Trustees: December 16, 2009 2
R3. Change Control Recovery plan(s) shall be updated to reflect any changes or lessons learned
as a result of an exercise or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and implementation of the recovery
plan(s) within thirty calendar days of the change being completed.
R4. Backup and Restore The recovery plan(s) shall include processes and procedures for the
backup and storage of information required to successfully restore Critical Cyber Assets. For
example, backups may include spare electronic components or equipment, written
documentation of configuration settings, tape backup, etc.
R5. Testing Backup Media Information essential to recovery that is stored on backup media shall
be tested at least annually to ensure that the information is available. Testing can be completed
off site.
C. Measures
M1. The Responsible Entity shall make available its recovery plan(s) as specified in Requirement
R1.
M2. The Responsible Entity shall make available its records documenting required exercises as
specified in Requirement R2.
M3. The Responsible Entity shall make available its documentation of changes to the recovery
plan(s), and documentation of all communications, as specified in Requirement R3.
M4. The Responsible Entity shall make available its documentation regarding backup and storage
of information as specified in Requirement R4.
M5. The Responsible Entity shall make available its documentation of testing of backup media as
specified in Requirement R5.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.1.1 Regional Entity for Responsible Entities that do not perform delegated tasks for
their Regional Entity.
1.1.2 ERO for Regional Entities.
1.1.3 Third-party monitor without vested interest in the outcome for NERC.
1.2. Compliance Monitoring Period and Reset Time Frame
Not applicable.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep documentation required by Standard CIP-009-
3 from the previous full calendar year unless directed by its Compliance
Standard CIP0093 Cyber Security Recovery Plans for Critical Cyber Assets
Approved by Board of Trustees: December 16, 2009 3
Enforcement Authority to retain specific evidence for a longer period of time as
part of an investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered
Entity shall keep the last audit records and all requested and submitted
subsequent audit records.
1.5. Additional Compliance Information
2. Violation Severity Levels (To be developed later.)
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
2 Modifications to clarify the requirements
and to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Communication of revisions to the recovery
plan changed from 90 days to 30 days.
Changed compliance monitor to
Compliance Enforcement Authority.
3 Updated version numbers from -2 to -3
3 12/16/09 Approved by the NERC Board of Trustees Update
Standard CIP0094 Cyber Security Recovery Plans for Critical Cyber As s ets
1
A. Introduction
1. Title: Cyber Security Recovery Plans for Critical Cyber Assets
2. Number: CIP-009-4
3. Purpose: Standard CIP-009-4 ensures that recovery plan(s) are put in place for Critical
Cyber Assets and that these plans follow established business continuity and disaster recovery
techniques and practices. Standard CIP-009-4 should be read as part of a group of standards
numbered Standards CIP-002-4 through CIP-009-4.
4. Applicability:
4.1. Within the text of Standard CIP-009-3, Responsible Entity shall mean:
4.1.1 Reliability Coordinator
4.1.2 Balancing Authority
4.1.3 Interchange Authority
4.1.4 Transmission Service Provider
4.1.5 Transmission Owner
4.1.6 Transmission Operator
4.1.7 Generator Owner
4.1.8 Generator Operator
4.1.9 Load Serving Entity
4.1.10 NERC
4.1.11 Regional Entity
4.2. The following are exempt from Standard CIP-009-4:
4.2.1 Facilities regulated by the Canadian Nuclear Safety Commission.
4.2.2 Cyber Assets associated with communication networks and data communication
links between discrete Electronic Security Perimeters.
4.2.3 In nuclear plants, the systems, structures, and components that are regulated by
the Nuclear Regulatory Commission under a cyber security plan pursuant to 10
C.F. R. Section 73.54
4.2.4 Responsible Entities that, in compliance with Standard CIP-002-4, identify that
they have no Critical Cyber Assets.
5. Effective Date: The first day of the eighth calendar quarter after applicable regulatory
approvals have been received (or the Reliability Standard otherwise becomes effective the first
day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory
approval is not required).
B. Requirements
R1. Recovery Plans The Responsible Entity shall create and annually review recovery plan(s)
for Critical Cyber Assets. The recovery plan(s) shall address at a minimum the following:
R1.1. Specify the required actions in response to events or conditions of varying duration
and severity that would activate the recovery plan(s).
R1.2. Define the roles and responsibilities of responders.
Standard CIP0094 Cyber Security Recovery Plans for Critical Cyber As s ets
2
R2. Exercises The recovery plan(s) shall be exercised at least annually. An exercise of the
recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an
actual incident.
R3. Change Control Recovery plan(s) shall be updated to reflect any changes or lessons learned
as a result of an exercise or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and implementation of the recovery
plan(s) within thirty calendar days of the change being completed.
R4. Backup and Restore The recovery plan(s) shall include processes and procedures for the
backup and storage of information required to successfully restore Critical Cyber Assets. For
example, backups may include spare electronic components or equipment, written
documentation of configuration settings, tape backup, etc.
R5. Testing Backup Media Information essential to recovery that is stored on backup media shall
be tested at least annually to ensure that the information is available. Testing can be completed
off site.
C. Measures
M1. The Responsible Entity shall make available its recovery plan(s) as specified in Requirement
R1.
M2. The Responsible Entity shall make available its records documenting required exercises as
specified in Requirement R2.
M3. The Responsible Entity shall make available its documentation of changes to the recovery
plan(s), and documentation of all communications, as specified in Requirement R3.
M4. The Responsible Entity shall make available its documentation regarding backup and storage
of information as specified in Requirement R4.
M5. The Responsible Entity shall make available its documentation of testing of backup media as
specified in Requirement R5.
Standard CIP0094 Cyber Security Recovery Plans for Critical Cyber As s ets
3
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Enforcement Authority
1.2. The RE shall serve as the CEA with the following exceptions:
1.2.1 For entities that do not work for the Regional Entity, the Regional Entity shall serve as the Compliance Enforcement Authority.
1.2.2 For Reliability Coordinators and other functional entities that work for their Regional Entity, the ERO shall serve as the Compliance
Enforcement Authority.
1.2.3 For Responsible Entities that are also Regional Entities, the ERO or a Regional Entity approved by the ERO and FERC or other applicable
governmental authorities shall serve as the Compliance Enforcement Authority.
1.2.4 For the ERO, a third-party monitor without vested interest in the outcome for the ERO shall serve as the Compliance Enforcement
Authority.
1.3. Compliance Monitoring and Enforcement Processes
Compliance Audits
Self-Certifications
Spot Checking
Compliance Violation Investigations
Self-Reporting
Complaints
1.4. Data Retention
1.4.1 The Responsible Entity shall keep documentation required by Standard CIP-009-4 from the previous full calendar year unless directed by
its Compliance Enforcement Authority to retain specific evidence for a longer period of time as part of an investigation.
1.4.2 The Compliance Enforcement Authority in conjunction with the Registered Entity shall keep the last audit records and all requested and
submitted subsequent audit records.
1.5. Additional Compliance Information
2. Violation Severity Levels
Standard CIP0094 Cyber Security Recovery Plans for Critical Cyber As s ets
4
Requirement VRF Lower VSL Moderate VSL High VSL Severe VSL
R1 MEDIUM N/A The Responsible Entity has not
annually reviewed recovery
plan(s) for Critical Cyber
Assets.
The Responsible Entity has created recovery plan(s) for
Critical Cyber Assets but did not address one of the
requirements CIP-009-4 R1.1 or R1.2.
The Responsible Entity has not created recovery plan(s) for
Critical Cyber Assets that address at a minimum both
requirements CIP-009-4 R1.1 and R1.2.
R1.1. MEDIUM N/A N/A N/A N/A
R1.2. MEDIUM N/A N/A N/A N/A
R2 LOWER N/A N/A N/A The Responsible Entity's recovery plan(s) have not been
exercised at least annually.
R3 LOWER
The Responsible Entity's
recovery plan(s) have
been updated to reflect
any changes or lessons
learned as a result of an
exercise or the recovery
from an actual incident
but the updates were
communicated to
personnel responsible for
the activation and
implementation of the
recovery plan(s) in more
than 30 but less than or
equal to 120 calendar
days of the change.
The Responsible Entity's
recovery plan(s) have been
updated to reflect any changes
or lessons learned as a result of
an exercise or the recovery from
an actual incident but the
updates were communicated to
personnel responsible for the
activation and implementation
of the recovery plan(s) in more
than 120 but less than or equal
to 150 calendar days of the
change.
The Responsible Entity's recovery plan(s) have been
updated to reflect any changes or lessons learned as a result
of an exercise or the recovery from an actual incident but the
updates were communicated to personnel responsible for the
activation and implementation of the recovery plan(s) in
more than 150 but less than or equal to 180 calendar days of
the change.
The Responsible Entity's recovery plan(s) have not been updated
to reflect any changes or lessons learned as a result of an
exercise or the recovery from an actual incident.
OR
The Responsible Entity's recovery plan(s) have been updated to
reflect any changes or lessons learned as a result of an exercise
or the recovery from an actual incident but the updates were
communicated to personnel responsible for the activation and
implementation of the recovery plan(s) in more than 180
calendar days of the change.
R4 LOWER N/A N/A N/A The Responsible Entity's recovery plan(s) do not include
processes and procedures for the backup and storage of
information required to successfully restore Critical Cyber
Assets.
R5 LOWER N/A N/A N/A The Responsible Entity's information essential to recovery that is
stored on backup media has not been tested at least annually to
ensure that the information is available.
Standard CIP0094 Cyber Security Recovery Plans for Critical Cyber As s ets
5
E. Regional Variances
None identified.
Version History
Version Date Action Change Tracking
2 Modifications to clarify the requirements
and to bring the compliance elements into
conformance with the latest guidelines for
developing compliance elements of
standards.
Removal of reasonable business judgment.
Replaced the RRO with the RE as a
responsible entity.
Rewording of Effective Date.
Communication of revisions to the recovery
plan changed from 90 days to 30 days.
Changed compliance monitor to
Compliance Enforcement Authority.
3 Updated version numbers from -2 to -3
3 12/16/09 Approved by the NERC Board of Trustees Update
4 Board approved
01/24/2011
Update version number from 3 to 4 Update to conform to
changes to CIP-002-4
(Project 2008-06)
4 4/19/12 FERC Order issued approving CIP-009-4
(approval becomes effective June 25, 2012)
Added approved VRF/VSL table to section
D.2.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page1of28
A. I ntroduction
1. Title: CyberSecurityRecoveryPlansforBESCyberSystems
2. Number: CIP0095
3. Purpose: TorecoverreliabilityfunctionsperformedbyBESCyberSystemsby
specifyingrecoveryplanrequirementsinsupportofthecontinued
stability,operability,andreliabilityoftheBES.
4. Applicability:
4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,the
followinglistoffunctionalentitieswillbecollectivelyreferredtoasResponsible
Entities.Forrequirementsinthisstandardwhereaspecificfunctionalentityor
subsetoffunctionalentitiesaretheapplicableentityorentities,thefunctionalentity
orentitiesarespecifiedexplicitly.
4.1.1 BalancingAuthority
4.1.2 DistributionProviderthatownsoneormoreofthefollowingFacilities,systems,
andequipmentfortheprotectionorrestorationoftheBES:
4.1.2.1 EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding
(UVLS)systemthat:
4.1.2.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.1.2.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.1.2.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.1.2.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.1.2.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.1.3 GeneratorOperator
4.1.4 GeneratorOwner
4.1.5 InterchangeCoordinatororInterchangeAuthority
4.1.6 ReliabilityCoordinator
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page2of28
4.1.7 TransmissionOperator
4.1.8 TransmissionOwner
4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowing
Facilities,systems,andequipmentownedbyeachResponsibleEntityin4.1above
arethosetowhichtheserequirementsareapplicable.Forrequirementsinthis
standardwhereaspecifictypeofFacilities,system,orequipmentorsubsetof
Facilities,systems,andequipmentareapplicable,thesearespecifiedexplicitly.
4.2.1 DistributionProvider:OneormoreofthefollowingFacilities,systemsand
equipmentownedbytheDistributionProviderfortheprotectionorrestoration
oftheBES:
4.2.1.1 EachUFLSorUVLSSystemthat:
4.2.1.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.2.1.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.2.1.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.2.1.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.2.1.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.2.2 ResponsibleEntitieslistedin4.1otherthanDistributionProviders:
AllBESFacilities.
4.2.3 Exemptions:ThefollowingareexemptfromStandardCIP0095:
4.2.3.1 CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafety
Commission.
4.2.3.2 CyberAssetsassociatedwithcommunicationnetworksanddata
communicationlinksbetweendiscreteElectronicSecurityPerimeters.
4.2.3.3 Thesystems,structures,andcomponentsthatareregulatedbytheNuclear
RegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.
Section73.54.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page3of28
4.2.3.4 ForDistributionProviders,thesystemsandequipmentthatarenotincluded
insection4.2.1above.
4.2.3.5 ResponsibleEntitiesthatidentifythattheyhavenoBESCyberSystems
categorizedashighimpactormediumimpactaccordingtotheCIP0025
identificationandcategorizationprocesses.
5.EffectiveDates:
1.24MonthsMinimumCIP0095shallbecomeeffectiveonthelaterofJuly1,
2015,orthefirstcalendardayoftheninthcalendarquarteraftertheeffective
dateoftheorderprovidingapplicableregulatoryapproval.
2.Inthosejurisdictionswherenoregulatoryapprovalisrequired,CIP0095shall
becomeeffectiveonthefirstdayoftheninthcalendarquarterfollowingBoardof
Trusteesapproval,orasotherwisemadeeffectivepursuanttothelaws
applicabletosuchEROgovernmentalauthorities.
6.Background:
StandardCIP0095existsaspartofasuiteofCIPStandardsrelatedtocybersecurity.
CIP0025requirestheinitialidentificationandcategorizationofBESCyberSystems.
CIP0035,CIP0045,CIP0055,CIP0065,CIP0075,CIP0085,CIP0095,CIP0101,
andCIP0111requireaminimumleveloforganizational,operational,andprocedural
controlstomitigaterisktoBESCyberSystems.ThissuiteofCIPStandardsisreferred
toastheVersion5CIPCyberSecurityStandards.
Mostrequirementsopenwith,EachResponsibleEntityshallimplementoneormore
documented[processes,plan,etc]thatincludetheapplicableitemsin[Table
Reference].Thereferencedtablerequirestheapplicableitemsintheproceduresfor
therequirementscommonsubjectmatter.
TheSDThasincorporatedwithinthisstandardarecognitionthatcertainrequirements
shouldnotfocusonindividualinstancesoffailureasasolebasisforviolatingthe
standard.Inparticular,theSDThasincorporatedanapproachtoempowerand
enabletheindustrytoidentify,assess,andcorrectdeficienciesintheimplementation
ofcertainrequirements.Theintentistochangethebasisofaviolationinthose
requirementssothattheyarenotfocusedonwhetherthereisadeficiency,buton
identifying,assessing,andcorrectingdeficiencies.Itispresentedinthose
requirementsbymodifyingimplementasfollows:
EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,
andcorrectsdeficiencies,...
Thetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictothe
ResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyany
particularnamingorapprovalstructurebeyondwhatisstatedintherequirements.
Anentityshouldincludeasmuchasitbelievesnecessaryintheirdocumented
processes,buttheymustaddresstheapplicablerequirementsinthetable.The
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page4of28
documentedprocessesthemselvesarenotrequiredtoincludethe...identifies,
assesses,andcorrectsdeficiencies,..."elementsdescribedinthepreceding
paragraph,asthoseaspectsarerelatedtothemannerofimplementationofthe
documentedprocessesandcouldbeaccomplishedthroughothercontrolsor
compliancemanagementactivities.
Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesses
whereitmakessenseandiscommonlyunderstood.Forexample,documented
processesdescribingaresponsearetypicallyreferredtoasplans(i.e.,incident
responseplansandrecoveryplans).Likewise,asecurityplancandescribean
approachinvolvingmultipleprocedurestoaddressabroadsubjectmatter.
Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationof
itspolicies,plansandproceduresinvolvingasubjectmatter.Examplesinthe
standardsincludethepersonnelriskassessmentprogramandthepersonneltraining
program.ThefullimplementationoftheCIPCyberSecurityStandardscouldalsobe
referredtoasaprogram.However,thetermsprogramandplandonotimplyany
additionalrequirementsbeyondwhatisstatedinthestandards.
ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsfor
multiplehighandmediumimpactBESCyberSystems.Forexample,asingletraining
programcouldmeettherequirementsfortrainingpersonnelacrossmultipleBES
CyberSystems.
Measuresfortheinitialrequirementaresimplythedocumentedprocesses
themselves.Measuresinthetablerowsprovideexamplesofevidencetoshow
documentationandimplementationofapplicableitemsinthedocumentedprocesses.
Thesemeasuresservetoprovideguidancetoentitiesinacceptablerecordsof
complianceandshouldnotbeviewedasanallinclusivelist.
Throughoutthestandards,unlessotherwisestated,bulleteditemsinthe
requirementsandmeasuresareitemsthatarelinkedwithanor,andnumbered
itemsareitemsthatarelinkedwithanand.
ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSand
UVLS.Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion
1oftheCIPCyberSecurityStandards.Thethresholdremainsat300MWsinceitis
specificallyaddressingUVLSandUFLS,whicharelastditcheffortstosavetheBulk
ElectricSystem.AreviewofUFLStolerancesdefinedwithinregionalreliability
standardsforUFLSprogramrequirementstodateindicatesthatthehistoricalvalueof
300MWrepresentsanadequateandreasonablethresholdvalueforallowableUFLS
operationaltolerances.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page5of28
ApplicableSystemsColumnsinTables:
EachtablehasanApplicableSystemscolumntofurtherdefinethescopeofsystems
towhichaspecificrequirementrowapplies.TheCSO706SDTadaptedthisconcept
fromtheNationalInstituteofStandardsandTechnology(NIST)RiskManagement
Frameworkasawayofapplyingrequirementsmoreappropriatelybasedonimpact
andconnectivitycharacteristics.Thefollowingconventionsareusedinthe
ApplicableSystemscolumnasdescribed.
HighImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedas
highimpactaccordingtotheCIP0025identificationandcategorizationprocesses.
MediumImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedas
mediumimpactaccordingtotheCIP0025identificationandcategorization
processes.
MediumImpactBESCyberSystemsatControlCentersOnlyappliestoBESCyber
SystemslocatedataControlCenterandcategorizedasmediumimpactaccording
totheCIP0025identificationandcategorizationprocesses.
ElectronicAccessControlorMonitoringSystems(EACMS)Appliestoeach
ElectronicAccessControlorMonitoringSystemassociatedwithareferencedhigh
impactBESCyberSystemormediumimpactBESCyberSystem.Examplesinclude,
butarenotlimitedtofirewalls,authenticationservers,andlogmonitoringand
alertingsystems.
PhysicalAccessControlSystems(PACS)AppliestoeachPhysicalAccessControl
SystemassociatedwithareferencedhighimpactBESCyberSystemormedium
impactBESCyberSystemwithExternalRoutableConnectivity.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page6of28
B. Requirements and Measures
R1. EachResponsibleEntityshallhaveoneormoredocumentedrecoveryplansthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0095TableR1RecoveryPlanSpecifications.[ViolationRiskFactor:Medium][TimeHorizon:
LongTermPlanning].
M1. Evidencemustincludethedocumentedrecoveryplan(s)thatcollectivelyincludetheapplicablerequirementpartsinCIP
0095TableR1RecoveryPlanSpecifications.
CIP0095TableR1RecoveryPlanSpecifications
Part ApplicableSystems Requirements Measures
1.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;and
2. PACS
Conditionsforactivationofthe
recoveryplan(s).
Anexampleofevidencemayinclude,
butisnotlimitedto,oneormore
plansthatincludelanguageidentifying
conditionsforactivationofthe
recoveryplan(s).
1.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;and
2. PACS
Rolesandresponsibilitiesof
responders.
Anexampleofevidencemayinclude,
butisnotlimitedto,oneormore
recoveryplansthatincludelanguage
identifyingtherolesand
responsibilitiesofresponders.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page7of28
CIP0095TableR1RecoveryPlanSpecifications
Part ApplicableSystems Requirements Measures
1.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;and
2. PACS
Oneormoreprocessesforthebackup
andstorageofinformationrequired
torecoverBESCyberSystem
functionality.
Anexampleofevidencemayinclude,
butisnotlimitedto,documentation
ofspecificprocessesforthebackup
andstorageofinformationrequiredto
recoverBESCyberSystem
functionality.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page8of28
CIP0095TableR1RecoveryPlanSpecifications
Part ApplicableSystems Requirements Measures
1.4 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;and
2. PACS
Oneormoreprocessestoverifythe
successfulcompletionofthebackup
processesinPart1.3andtoaddress
anybackupfailures.
Anexampleofevidencemayinclude,
butisnotlimitedto,logs,workflowor
otherdocumentationconfirmingthat
thebackupprocesscompleted
successfullyandbackupfailures,if
any,wereaddressed.
1.5 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;and
2. PACS
Oneormoreprocessestopreserve
data,perCyberAssetcapability,for
determiningthecauseofaCyber
SecurityIncidentthattriggers
activationoftherecoveryplan(s).
Datapreservationshouldnotimpede
orrestrictrecovery.
Anexampleofevidencemayinclude,
butisnotlimitedto,proceduresto
preservedata,suchaspreservinga
corrupteddriveormakingadata
mirrorofthesystembefore
proceedingwithrecovery.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page9of28
R2. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,itsdocumented
recoveryplan(s)tocollectivelyincludeeachoftheapplicablerequirementpartsinCIP0095TableR2RecoveryPlan
ImplementationandTesting.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanningandRealtimeOperations.]
M2. Evidencemustinclude,butisnotlimitedto,documentationthatcollectivelydemonstratesimplementationofeachofthe
applicablerequirementpartsinCIP0095TableR2RecoveryPlanImplementationandTesting.
CIP0095TableR2RecoveryPlanImplementationandTesting
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;and
2. PACS
Testeachoftherecoveryplans
referencedinRequirementR1atleast
onceevery15calendarmonths:
Byrecoveringfromanactual
incident;
Withapaperdrillortabletop
exercise;or
Withanoperationalexercise.
Anexampleofevidencemayinclude,
butisnotlimitedto,datedevidenceof
atest(byrecoveringfromanactual
incident,withapaperdrillortabletop
exercise,orwithanoperational
exercise)oftherecoveryplanatleast
onceevery15calendarmonths.For
thepaperdrillorfulloperational
exercise,evidencemayinclude
meetingnotices,minutes,orother
recordsofexercisefindings.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page10of28
CIP0095TableR2RecoveryPlanImplementationandTesting
Part ApplicableSystems Requirements Measures
2.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;and
2. PACS
Testarepresentativesampleof
informationusedtorecoverBESCyber
Systemfunctionalityatleastonce
every15calendarmonthstoensure
thattheinformationisuseableandis
compatiblewithcurrent
configurations.
Anactualrecoverythatincorporates
theinformationusedtorecoverBES
CyberSystemfunctionalitysubstitutes
forthistest.
Anexampleofevidencemayinclude,
butisnotlimitedto,operationallogs
ortestresultswithcriteriafortesting
theusability(e.g.sampletapeload,
browsingtapecontents)and
compatibilitywithcurrentsystem
configurations(e.g.manualor
automatedcomparisoncheckpoints
betweenbackupmediacontentsand
currentconfiguration).
2.3 HighImpactBESCyberSystems
Testeachoftherecoveryplans
referencedinRequirementR1atleast
onceevery36calendarmonths
throughanoperationalexerciseofthe
recoveryplansinanenvironment
representativeoftheproduction
environment.
Anactualrecoveryresponsemay
substituteforanoperationalexercise.
Examplesofevidencemayinclude,but
arenotlimitedto,dated
documentationof:
Anoperationalexerciseatleast
onceevery36calendarmonths
betweenexercises,that
demonstratesrecoveryina
representativeenvironment;or
Anactualrecoveryresponsethat
occurredwithinthe36calendar
monthtimeframethatexercised
therecoveryplans.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page11of28
R3. EachResponsibleEntityshallmaintaineachofitsrecoveryplansinaccordancewitheachoftheapplicablerequirementparts
inCIP0095TableR3RecoveryPlanReview,UpdateandCommunication.[ViolationRiskFactor:Lower][TimeHorizon:
OperationsAssessment].
M3. Acceptableevidenceincludes,butisnotlimitedto,eachoftheapplicablerequirementpartsinCIP0095TableR3Recovery
PlanReview,UpdateandCommunication.
CIP0095TableR3RecoveryPlanReview,UpdateandCommunication
Part ApplicableSystems Requirements Measures
3.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;and
2. PACS
Nolaterthan90calendardaysafter
completionofarecoveryplantestor
actualrecovery:
3.1.1. Documentanylessonslearned
associatedwitharecoveryplan
testoractualrecoveryor
documenttheabsenceofany
lessonslearned;
3.1.2. Updatetherecoveryplanbased
onanydocumentedlessons
learnedassociatedwiththe
plan;and
3.1.3. Notifyeachpersonorgroup
withadefinedroleinthe
recoveryplanoftheupdatesto
therecoveryplanbasedonany
documentedlessonslearned.
Anexampleofevidencemayinclude,
butisnotlimitedto,allofthe
following:
1. Dateddocumentationof
identifieddeficienciesorlessons
learnedforeachrecoveryplan
testoractualincidentrecovery
ordateddocumentationstating
therewerenolessonslearned;
2. Datedandrevisedrecoveryplan
showinganychangesbasedon
thelessonslearned;and
3. Evidenceofplanupdate
distributionincluding,butnot
limitedto:
Emails;
USPSorothermailservice;
Electronicdistribution
system;or
Trainingsigninsheets.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page12of28
CIP0095TableR3RecoveryPlanReview,UpdateandCommunication
Part ApplicableSystems Requirements Measures
3.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystemsat
ControlCentersandtheirassociated:
1. EACMS;and
2. PACS
Nolaterthan60calendardaysaftera
changetotherolesorresponsibilities,
responders,ortechnologythatthe
ResponsibleEntitydetermineswould
impacttheabilitytoexecutethe
recoveryplan:
3.2.1. Updatetherecoveryplan;and
3.2.2. Notifyeachpersonorgroup
withadefinedroleinthe
recoveryplanoftheupdates.
Anexampleofevidencemayinclude,
butisnotlimitedto,allofthe
following:
1. Datedandrevisedrecovery
planwithchangestotheroles
orresponsibilities,
responders,ortechnology;
and
2. Evidenceofplanupdate
distributionincluding,butnot
limitedto:
Emails;
USPSorothermailservice;
Electronicdistribution
system;or
Trainingsigninsheets.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page13of28
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)unlessthe
applicableentityisowned,operated,orcontrolledbytheRegionalEntity.Insuchcasesthe
EROoraRegionalEntityapprovedbyFERCorotherapplicablegovernmentalauthorityshall
serveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityisrequiredto
retainspecificevidencetodemonstratecompliance.Forinstanceswheretheevidence
retentionperiodspecifiedbelowisshorterthanthetimesincethelastaudit,theCEAmayask
anentitytoprovideotherevidencetoshowthatitwascompliantforthefulltimeperiodsince
thelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceasidentifiedbelow
unlessdirectedbyitsCEAtoretainspecificevidenceforalongerperiodoftimeaspartofan
investigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthisstandardforthree
calendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformationrelatedtothenon
complianceuntilmitigationiscompleteandapprovedorforthetimespecifiedabove,
whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmittedsubsequentaudit
records.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page14of28
2.TableofComplianceElements
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0095)
LowerVSL ModerateVSL HighVSL SevereVSL
R1 Long
term
Planning
Medium N/A TheResponsible
Entityhasdeveloped
recoveryplan(s),but
theplan(s)donot
addressoneofthe
requirements
includedinParts1.2
through1.5.
TheResponsible
Entityhasdeveloped
recoveryplan(s),but
theplan(s)donot
addresstwoofthe
requirements
includedinParts1.2
through1.5.
TheResponsible
Entityhasnotcreated
recoveryplan(s)for
BESCyberSystems.
OR
TheResponsible
Entityhascreated
recoveryplan(s)for
BESCyberSystems,
buttheplan(s)does
notaddressthe
conditionsfor
activationinPart1.1.
OR
TheResponsible
Entityhascreated
recoveryplan(s)for
BESCyberSystems,
buttheplan(s)does
notaddressthreeor
moreofthe
requirementsinParts
1.2through1.5.
R2 Operations Lower TheResponsible TheResponsible TheResponsible TheResponsible
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page15of28
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0095)
LowerVSL ModerateVSL HighVSL SevereVSL
Planning
Realtime
Operations
Entityhasnottested
therecoveryplan(s)
accordingtoR2Part
2.1within15
calendarmonths,not
exceeding16
calendarmonths
betweentestsofthe
plan,andwhen
tested,any
deficiencieswere
identified,assessed,
andcorrected.(2.1)
OR
TheResponsible
Entityhasnottested
arepresentative
sampleofthe
informationusedin
therecoveryofBES
CyberSystem
functionality
accordingtoR2Part
2.2within15
calendarmonths,not
exceeding16
calendarmonths
betweentests,and
whentested,any
Entityhasnottested
therecoveryplan(s)
within16calendar
months,not
exceeding17
calendarmonths
betweentestsofthe
plan,andwhen
tested,any
deficiencieswere
identified,assessed,
andcorrected.(2.1)
OR
TheResponsible
Entityhasnottested
arepresentative
sampleofthe
informationusedin
therecoveryofBES
CyberSystem
functionality
accordingtoR2Part
2.2within16
calendarmonths,not
exceeding17
calendarmonths
betweentests,and
whentested,any
deficiencieswere
Entityhasnottested
therecoveryplan(s)
accordingtoR2Part
2.1within17calendar
months,not
exceeding18calendar
monthsbetweentests
oftheplan,andwhen
tested,any
deficiencieswere
identified,assessed,
andcorrected.(2.1)
OR
TheResponsible
Entityhasnottested
arepresentative
sampleofthe
informationusedin
therecoveryofBES
CyberSystem
functionality
accordingtoR2Part
2.2within17
calendarmonths,not
exceeding18
calendarmonths
betweentests,and
whentested,any
deficiencieswere
Entityhasnottested
therecoveryplan(s)
accordingtoR2Part
2.1within18
calendarmonths
betweentestsofthe
plan.(2.1)
OR
TheResponsible
Entityhastestedthe
recoveryplan(s)
accordingtoR2Part
2.1andidentified
deficiencies,butdid
notassessorcorrect
thedeficiencies.(2.1)
OR
TheResponsible
Entityhastestedthe
recoveryplan(s)
accordingtoR2Part
2.1butdidnot
identify,assess,or
correctthe
deficiencies.(2.1)
OR
TheResponsible
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page16of28
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0095)
LowerVSL ModerateVSL HighVSL SevereVSL
deficiencieswere
identified,assessed,
andcorrected.(2.2)
OR
TheResponsible
Entityhasnottested
therecoveryplan
accordingtoR2Part
2.3within36
calendarmonths,not
exceeding37
calendarmonths
betweentests,and
whentested,any
deficiencieswere
identified,assessed,
andcorrected.(2.3)
identified,assessed,
andcorrected.(2.2)
OR
TheResponsible
Entityhasnottested
therecoveryplan
accordingtoR2Part
2.3within37
calendarmonths,not
exceeding38
calendarmonths
betweentests,and
whentested,any
deficiencieswere
identified,assessed,
andcorrected.(2.3)
identified,assessed,
andcorrected.(2.2)
OR
TheResponsible
Entityhasnottested
therecoveryplan
accordingtoR2Part
2.3within38
calendarmonths,not
exceeding39
calendarmonths
betweentests,and
whentested,any
deficiencieswere
identified,assessed,
andcorrected.(2.3)
Entityhasnottested
arepresentative
sampleofthe
informationusedin
therecoveryofBES
CyberSystem
functionality
accordingtoR2Part
2.2within18
calendarmonths
betweentests.(2.2)
OR
TheResponsible
Entityhastesteda
representative
sampleofthe
informationusedin
therecoveryofBES
CyberSystem
functionality
accordingtoR2Part
2.2andidentified
deficiencies,butdid
notassessorcorrect
thedeficiencies.(2.2)
OR
TheResponsible
Entityhastesteda
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page17of28
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0095)
LowerVSL ModerateVSL HighVSL SevereVSL
representative
sampleofthe
informationusedin
therecoveryofBES
CyberSystem
functionality
accordingtoR2Part
2.2butdidnot
identify,assess,or
correctthe
deficiencies.(2.2)
OR
TheResponsible
Entityhasnottested
therecoveryplan(s)
accordingtoR2Part
2.3within39
calendarmonths
betweentestsofthe
plan.(2.3)
OR
TheResponsible
Entityhastestedthe
recoveryplan(s)
accordingtoR2Part
2.3andidentified
deficiencies,butdid
notassessorcorrect
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page18of28
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0095)
LowerVSL ModerateVSL HighVSL SevereVSL
thedeficiencies.(2.3)
OR
TheResponsible
Entityhastestedthe
recoveryplan(s)
accordingtoR2Part
2.3butdidnot
identify,assess,or
correctthe
deficiencies.(2.3)
R3 Operations
Assessment
Lower TheResponsible
Entityhasnot
notifiedeachperson
orgroupwitha
definedroleinthe
recoveryplan(s)of
updateswithin90
andlessthan210
calendardaysofthe
updatebeing
completed.(3.1.3)
TheResponsible
Entityhasnot
updatedtherecovery
plan(s)basedonany
documentedlessons
learnedwithin90and
lessthan210calendar
daysofeachrecovery
plantestoractual
recovery.(3.1.2)
OR
TheResponsible
Entityhasnotnotified
eachpersonorgroup
withadefinedrolein
therecoveryplan(s)
ofupdateswithin120
TheResponsible
Entityhasneither
documentedlessons
learnednor
documentedthe
absenceofany
lessonslearnedwithin
90andlessthan210
calendardaysofeach
recoveryplantestor
actualrecovery.
(3.1.1)
OR
TheResponsible
Entityhasnot
updatedtherecovery
plan(s)basedonany
TheResponsible
Entityhasneither
documentedlessons
learnednor
documentedthe
absenceofany
lessonslearned
within210calendar
daysofeachrecovery
plantestoractual
recovery.(3.1.1)
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page19of28
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0095)
LowerVSL ModerateVSL HighVSL SevereVSL
calendardaysofthe
updatebeing
completed.(3.1.3)
OR
TheResponsible
Entityhasnot
updatedtherecovery
plan(s)ornotified
eachpersonorgroup
withadefinedrole
within60andless
than90calendardays
ofanyofthe
followingchanges
thattheresponsible
entitydetermines
wouldimpactthe
abilitytoexecutethe
plan:(3.2)
Rolesor
responsibilities,or
Responders,or
Technology
changes.
documentedlessons
learnedwithin120
calendardaysofeach
recoveryplantestor
actualrecovery.
(3.1.2)
OR
TheResponsible
Entityhasnot
updatedtherecovery
plan(s)ornotified
eachpersonorgroup
withadefinedrole
within90calendar
daysofanyofthe
followingchanges
thattheresponsible
entitydetermines
wouldimpactthe
abilitytoexecutethe
plan:(3.2)
Rolesor
responsibilities,or
Responders,or
Technologychanges.
CIP0095CyberSecurityRecoveryPlansforBESCyberSystems
Page20of28
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
GuidelinesandTechnicalBasis
Page21of28
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
Thefollowingguidelinesareavailabletoassistinaddressingtherequiredcomponentsofa
recoveryplan:
NERC,SecurityGuidelinefortheElectricitySector:ContinuityofBusinessProcessesand
OperationsOperationalFunctions,September2011,onlineat
http://www.nerc.com/docs/cip/sgwg/Continuity%20of%20Business%20and%20Operation
al%20Functions%20FINAL%20102511.pdf
NationalInstituteofStandardsandTechnology,ContingencyPlanningGuideforFederal
InformationSystems,SpecialPublication80034revision1,May2010,onlineat
http://csrc.nist.gov/publications/nistpubs/80034rev1/sp80034rev1_errataNov11
2010.pdf
ThetermrecoveryplanisusedthroughoutthisStandardtorefertoadocumentedsetof
instructionsandresourcesneededtorecoverreliabilityfunctionsperformedbyBESCyber
Systems.Therecoveryplanmayexistaspartofalargerbusinesscontinuityordisasterrecovery
plan,butthetermdoesnotimplyanyadditionalobligationsassociatedwiththosedisciplines
outsideoftheRequirements.
AdocumentedrecoveryplanmaynotbenecessaryforeachapplicableBESCyberSystem.For
example,theshorttermrecoveryplanforaBESCyberSysteminaspecificsubstationmaybe
GuidelinesandTechnicalBasis
Page22of28
managedonadailybasisbyadvancedpowersystemapplicationssuchasstateestimation,
contingencyandremedialaction,andoutagescheduling.OnerecoveryplanforBESCyber
Systemsshouldsufficeforseveralsimilarfacilitiessuchasthosefoundinsubstationsorpower
plantsfacilities.
ForPart1.1,theconditionsforactivationoftherecoveryplanshouldconsiderviablethreatsto
theBESCyberSystemsuchasnaturaldisasters,computingequipmentfailures,computing
environmentfailures,andCyberSecurityIncidents.AbusinessimpactanalysisfortheBESCyber
Systemmaybeusefulindeterminingtheseconditions.
ForPart1.2,entitiesshouldidentifytheindividualsrequiredforrespondingtoarecovery
operationoftheapplicableBESCyberSystem.
ForPart1.3,entitiesshouldconsiderthefollowingtypesofinformationtorecoverBESCyber
Systemfunctionality:
1. Installationfilesandmedia;
2. Currentbackuptapesandanyadditionaldocumentedconfigurationsettings;
3. Documentedbuildorrestorationprocedures;and
4. Crosssitereplicationstorage.
ForPart1.4,theprocessestoverifythesuccessfulcompletionofbackupprocessesshould
includecheckingfor:(1)usabilityofbackupmedia,(2)logsorinspectionshowingthat
informationfromcurrent,productionsystemcouldberead,and(3)logsorinspectionshowing
thatinformationwaswrittentothebackupmedia.Testrestorationsarenotrequiredforthis
RequirementPart.Thefollowingbackupscenariosprovideexamplesofeffectiveprocessesto
verifysuccessfulcompletionanddetectanybackupfailures:
Periodic(e.g.dailyorweekly)backupprocessReviewgeneratedlogsorjobstatus
reportsandsetupnotificationsforbackupfailures.
NonperiodicbackupprocessIfasinglebackupisprovidedduringthecommissioningof
thesystem,thenonlytheinitialandperiodic(every15months)testingmustbedone.
Additionaltestingshouldbedoneasnecessaryandcanbeapartoftheconfiguration
changemanagementprogram.
DatamirroringConfigurealertsonthefailureofdatatransferforanamountoftime
specifiedbytheentity(e.g.15minutes)inwhichtheinformationonthemirroreddisk
maynolongerbeusefulforrecovery.
ManualconfigurationinformationInspecttheinformationusedforrecoverypriorto
storinginitiallyandperiodically(every15months).Additionalinspectionshouldbedone
asnecessaryandcanbeapartoftheconfigurationchangemanagementprogram.
Theplanmustalsoincludeprocessestoaddressbackupfailures.Theseprocessesshouldspecify
theresponsetofailurenotificationsorotherformsofidentification.
ForPart1.5,therecoveryplanmustincludeconsiderationsforpreservationofdatato
determinethecauseofaCyberSecurityIncident.Becauseitisnotalwayspossibletoinitially
GuidelinesandTechnicalBasis
Page23of28
knowifaCyberSecurityIncidentcausedtherecoveryactivation,thedatapreservation
proceduresshouldbefolloweduntilsuchpointaCyberSecurityIncidentcanberuledout.CIP
008addressestheretentionofdataassociatedwithaCyberSecurityIncident.
RequirementR2:
AResponsibleEntitymustexerciseeachBESCyberSystemrecoveryplanevery15months.
However,thisdoesnotnecessarilymeanthattheentitymusttesteachplanindividually.BES
CyberSystemsthatarenumerousanddistributed,suchasthosefoundatsubstations,maynot
requireanindividualrecoveryplanandtheassociatedredundantfacilitiessincereengineering
andreconstructionmaybethegenericresponsetoasevereevent.Conversely,thereistypically
onecontrolcenterperbulktransmissionserviceareathatrequiresaredundantorbackup
facility.Becauseofthesedifferences,therecoveryplansassociatedwithcontrolcentersdiffera
greatdealfromthoseassociatedwithpowerplantsandsubstations.
Arecoveryplantestdoesnotnecessarilycoverallaspectsofarecoveryplanandfailure
scenarios,butthetestshouldbesufficienttoensuretheplanisuptodateandatleastone
restorationprocessoftheapplicablecybersystemsiscovered.
Entitiesmayuseanactualrecoveryasasubstituteforexercisingtheplanevery15months.
Otherwise,entitiesmustexercisetheplanwithapaperdrill,tabletopexercise,oroperational
exercise.Formorespecifictypesofexercises,refertotheFEMAHomelandSecurityExercise
andEvaluationProgram(HSEEP).Itliststhefollowingfourtypesofdiscussionbasedexercises:
seminar,workshop,tabletop,andgames.Inparticular,itdefinesthat,Atabletopexercise
involveskeypersonneldiscussingsimulatedscenariosinaninformalsetting.[Tabletop
exercises(TTX)]canbeusedtoassessplans,policies,andprocedures.
TheHSEEPliststhefollowingthreetypesofoperationsbasedexercises:Drill,functional
exercise,andfullscaleexercise.Itdefinesthat,[A]fullscaleexerciseisamultiagency,multi
jurisdictional,multidisciplineexerciseinvolvingfunctional(e.g.,jointfieldoffice,Emergency
operationcenters,etc.)andbootsonthegroundresponse(e.g.,firefightersdecontaminating
mockvictims).
ForPart2.2,entitiesshouldrefertothebackupandstorageofinformationrequiredtorecover
BESCyberSystemfunctionalityinRequirementPart1.3.Thisprovidesadditionalassurancethat
theinformationwillactuallyrecovertheBESCyberSystemasnecessary.Formostcomplex
computingequipment,afulltestoftheinformationisnotfeasible.Entitiesshoulddetermine
therepresentativesampleofinformationthatprovidesassuranceintheprocessesfor
RequirementPart1.3.Thetestmustincludestepsforensuringtheinformationisuseableand
current.Forbackupmedia,thiscanincludetestingarepresentativesampletomakesurethe
informationcanbeloaded,andcheckingthecontenttomakesuretheinformationreflectsthe
currentconfigurationoftheapplicableCyberAssets.
RequirementR3:
Thisrequirementensuresentitiesmaintainrecoveryplans.Therearetworequirementparts
thattriggerplanupdates:(1)lessonslearnedand(2)organizationalortechnologychanges.
GuidelinesandTechnicalBasis
Page24of28
Thedocumentationoflessonslearnedisassociatedwitheachrecoveryactivation,andit
involvestheactivitiesasillustratedinFigure1,below.Thedeadlinetodocumentlessons
learnedstartsafterthecompletionoftherecoveryoperationinrecognitionthatcomplex
recoveryactivitiescantakeafewdaysorweekstocomplete.Theprocessofconducting
lessonslearnedcaninvolvetherecoveryteamdiscussingtheincidenttodeterminegapsor
areasofimprovementwithintheplan.Itispossibletohavearecoveryactivationwithoutany
documentedlessonslearned.Insuchcases,theentitymustretaindocumentationofthe
absenceofanylessonslearnedassociatedwiththerecoveryactivation.
Figure 1: CIP-009-5 R3 Timeline
Theactivitiesnecessarytocompletethelessonslearnedincludeupdatingtheplanand
distributingthoseupdates.Entitiesshouldconsidermeetingwithalloftheindividualsinvolved
intherecoveryanddocumentingthelessonslearnedassoonaftertherecoveryactivationas
possible.Thisallowsmoretimeformakingeffectiveupdatestotheplan,obtainingany
necessaryapprovals,anddistributingthoseupdatestotherecoveryteam.
Theplanchangerequirementisassociatedwithorganizationandtechnologychanges
referencedintheplanandinvolvestheactivitiesillustratedinFigure2,below.Organizational
changesincludechangestotherolesandresponsibilitiespeoplehaveintheplanorchangesto
theresponsegroupsorindividuals.Thismayincludechangestothenamesorcontact
informationlistedintheplan.Technologychangesaffectingtheplanmayincludereferenced
informationsources,communicationsystems,orticketingsystems.
GuidelinesandTechnicalBasis
Page25of28
Figure 2: Timeline for Plan Changes in 3.2
Whennotifyingindividualsofresponseplanchanges,entitiesshouldkeepinmindthatrecovery
plansmaybeconsideredBESCyberSystemInformation,andtheyshouldtaketheappropriate
measurestopreventunauthorizeddisclosureofrecoveryplaninformation.Forexample,the
recoveryplanitself,orothersensitiveinformationabouttherecoveryplan,shouldberedacted
fromEmailorotherunencryptedtransmission.
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
Preventativeactivitiescanlowerthenumberofincidents,butnotallincidentscanbe
prevented.Apreplannedrecoverycapabilityis,therefore,necessaryforrapidlyrecovering
fromincidents,minimizinglossanddestruction,mitigatingtheweaknessesthatwereexploited,
andrestoringcomputingservicessothatplannedandconsistentrecoveryactiontorestoreBES
CyberSystemfunctionalityoccurs.
SummaryofChanges:Addedprovisionstoprotectdatathatwouldbeusefulinthe
investigationofaneventthatresultsintheneedforaCyberSystemrecoveryplantobe
utilized.
Referencetopriorversion:(Part1.1)CIP009,R1.1
ChangeDescriptionandJustification:(Part1.1)
Minorwordingchanges;essentiallyunchanged.
Referencetopriorversion:(Part1.2)CIP009,R1.2
ChangeDescriptionandJustification:(Part1.2)
Minorwordingchanges;essentiallyunchanged.
GuidelinesandTechnicalBasis
Page26of28
Referencetopriorversion:(Part1.3)CIP009,R4
ChangeDescriptionandJustification:(Part1.3)
AddressesFERCOrderParagraph739and748.Themodifiedwordingwasabstractedfrom
Paragraph744.
Referencetopriorversion:(Part1.4)NewRequirement
ChangeDescriptionandJustification:(Part1.4)
AddressesFERCOrderSection739and748.
Referencetopriorversion:(Part1.5)NewRequirement
ChangeDescriptionandJustification:(Part1.5)
AddedrequirementtoaddressFERCOrderNo.706,Paragraph706.
RationaleforR2:
Theimplementationofaneffectiverecoveryplanmitigatestherisktothereliableoperationof
theBESbyreducingthetimetorecoverfromvarioushazardsaffectingBESCyberSystems.This
requirementensurescontinuedimplementationoftheresponseplans.
RequirementPart2.2providesfurtherassuranceintheinformation(e.g.backuptapes,
mirroredhotsites,etc.)necessarytorecoverBESCyberSystems.Afulltestisnotfeasiblein
mostinstancesduetotheamountofrecoveryinformation,andtheResponsibleEntitymust
determineasamplingthatprovidesassuranceintheusabilityoftheinformation.
SummaryofChanges.AddedoperationaltestingforrecoveryofBESCyberSystems.
Referencetopriorversion:(Part2.1)CIP009,R2
ChangeDescriptionandJustification:(Part2.1)
Minorwordingchange;essentiallyunchanged.
Referencetopriorversion:(Part2.2)CIP009,R5
ChangeDescriptionandJustification:(Part2.2)
Specifieswhattotestandmakesclearthetestcanbearepresentativesampling.These
changes,alongwithRequirementPart1.4addresstheFERCOrderNo.706,Paragraphs739and
748relatedtotestingofbackupsbyprovidinghighconfidencetheinformationwillactually
recoverthesystemasnecessary.
Referencetopriorversion:(Part2.3)CIP009,R2
ChangeDescriptionandJustification:(Part2.3)
AddressesFERCOrderNo.706,Paragraph725toaddtherequirementthattherecoveryplan
testbeafulloperationaltestonceevery3years.
GuidelinesandTechnicalBasis
Page27of28
RationaleforR3:
ToimprovetheeffectivenessofBESCyberSystemrecoveryplan(s)followingatest,andto
ensurethemaintenanceanddistributionoftherecoveryplan(s).ResponsibleEntitiesachieve
thisby(i)performingalessonslearnedreviewin3.1and(ii)revisingtheplanin3.2basedon
specificchangesintheorganizationortechnologythatwouldimpactplanexecution.Inboth
instanceswhentheplanneedstochange,theResponsibleEntityupdatesanddistributesthe
plan.
SummaryofChanges:Makesclearwhentoperformlessonslearnedreviewoftheplanand
specifiesthetimeframeforupdatingtherecoveryplan.
Referencetopriorversion:(Part3.1)CIP009,R1andR3
ChangeDescriptionandJustification:(Part3.1)
Addedthetimeframesforperforminglessonslearnedandcompletingtheplanupdates.This
requirementcombinesallthreeactivitiesinoneplace.Wherepreviousversionsspecified30
calendardaysforperforminglessonslearned,followedbyadditionaltimeforupdatingrecovery
plansandnotification,thisrequirementcombinesthoseactivitiesintoasingletimeframe.
Referencetopriorversion:(Part3.2)NewRequirement
ChangeDescriptionandJustification:(Part3.2)
Specifiestheactivitiesrequiredtomaintaintheplan.Thepreviousversionrequiredentitiesto
updatetheplaninresponsetoanychanges.Themodificationsmakeclearthespecificchanges
thatwouldrequireanupdate.
Version History
Version Date Action ChangeTracking
1 1/16/06
R3.2ChangeControlCenterto
controlcenter
3/24/06
2 9/30/09 Modificationstoclarifytherequirements
andtobringthecomplianceelementsinto
conformancewiththelatestguidelinesfor
developingcomplianceelementsof
standards.
Removalofreasonablebusinessjudgment.
ReplacedtheRROwiththeREasa
ResponsibleEntity.
RewordingofEffectiveDate.
Changedcompliancemonitorto
ComplianceEnforcementAuthority.
GuidelinesandTechnicalBasis
Page28of28
3 Updatedversionnumberfrom2to3
InRequirement1.6,deletedthesentence
pertainingtoremovingcomponentor
systemfromserviceinordertoperform
testing,inresponsetoFERCorderissued
September30,2009.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerability
Assessments
Page1of34
A. I ntroduction
1. Title: Cyber Security Configuration Change Management and Vulnerability
Assessments
2. Number: CIP0101
3. Purpose: TopreventanddetectunauthorizedchangestoBESCyberSystemsby
specifyingconfigurationchangemanagementandvulnerabilityassessment
requirementsinsupportofprotectingBESCyberSystemsfromcompromisethatcould
leadtomisoperationorinstabilityintheBES.
4. Applicability:
4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,the
followinglistoffunctionalentitieswillbecollectivelyreferredtoasResponsible
Entities.Forrequirementsinthisstandardwhereaspecificfunctionalentityor
subsetoffunctionalentitiesaretheapplicableentityorentities,thefunctionalentity
orentitiesarespecifiedexplicitly.
4.1.1 BalancingAuthority
4.1.2 DistributionProviderthatownsoneormoreofthefollowingFacilities,systems,
andequipmentfortheprotectionorrestorationoftheBES:
4.1.2.1 EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding
(UVLS)systemthat:
4.1.2.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.1.2.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.1.2.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.1.2.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.1.2.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.1.3 GeneratorOperator
4.1.4 GeneratorOwner
4.1.5 InterchangeCoordinatororInterchangeAuthority
CIP0101CyberSecurityConfigurationChangeManagementandVulnerability
Assessments
Page2of34
4.1.6 ReliabilityCoordinator
4.1.7 TransmissionOperator
4.1.8 TransmissionOwner
4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowing
Facilities,systems,andequipmentownedbyeachResponsibleEntityin4.1above
arethosetowhichtheserequirementsareapplicable.Forrequirementsinthis
standardwhereaspecifictypeofFacilities,system,orequipmentorsubsetof
Facilities,systems,andequipmentareapplicable,thesearespecifiedexplicitly.
4.2.1 DistributionProvider:OneormoreofthefollowingFacilities,systemsand
equipmentownedbytheDistributionProviderfortheprotectionorrestoration
oftheBES:
4.2.1.1 EachUFLSorUVLSSystemthat:
4.2.1.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.2.1.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.2.1.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.2.1.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.2.1.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.2.2 ResponsibleEntitieslistedin4.1otherthanDistributionProviders:
AllBESFacilities.
4.2.3 Exemptions:ThefollowingareexemptfromStandardCIP0101:
4.2.3.1 CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafety
Commission.
4.2.3.2 CyberAssetsassociatedwithcommunicationnetworksanddata
communicationlinksbetweendiscreteElectronicSecurityPerimeters.
4.2.3.3 Thesystems,structures,andcomponentsthatareregulatedbytheNuclear
RegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.
Section73.54.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerability
Assessments
Page3of34
4.2.3.4 ForDistributionProviders,thesystemsandequipmentthatarenotincluded
insection4.2.1above.
4.2.3.5 ResponsibleEntitiesthatidentifythattheyhavenoBESCyberSystems
categorizedashighimpactormediumimpactaccordingtotheCIP0025
identificationandcategorizationprocesses.
5.EffectiveDates:
1.24MonthsMinimumCIP0101shallbecomeeffectiveonthelaterofJuly1,
2015,orthefirstcalendardayoftheninthcalendarquarteraftertheeffective
dateoftheorderprovidingapplicableregulatoryapproval.
2.Inthosejurisdictionswherenoregulatoryapprovalisrequired,CIP0101shall
becomeeffectiveonthefirstdayoftheninthcalendarquarterfollowingBoard
ofTrusteesapproval,orasotherwisemadeeffectivepursuanttothelaws
applicabletosuchEROgovernmentalauthorities.
6.Background:
StandardCIP0101existsaspartofasuiteofCIPStandardsrelatedtocybersecurity.
CIP0025requirestheinitialidentificationandcategorizationofBESCyberSystems.
CIP0035,CIP0045,CIP0055,CIP0065,CIP0075,CIP0085,CIP0095,CIP0101,
andCIP0111requireaminimumleveloforganizational,operationalandprocedural
controlstomitigaterisktoBESCyberSystems.ThissuiteofCIPStandardsisreferred
toastheVersion5CIPCyberSecurityStandards.
Mostrequirementsopenwith,EachResponsibleEntityshallimplementoneormore
documented[processes,plan,etc]thatincludetheapplicableitemsin[Table
Reference].Thereferencedtablerequirestheapplicableitemsintheproceduresfor
therequirementscommonsubjectmatter.
TheSDThasincorporatedwithinthisstandardarecognitionthatcertainrequirements
shouldnotfocusonindividualinstancesoffailureasasolebasisforviolatingthe
standard.Inparticular,theSDThasincorporatedanapproachtoempowerand
enabletheindustrytoidentify,assess,andcorrectdeficienciesintheimplementation
ofcertainrequirements.Theintentistochangethebasisofaviolationinthose
requirementssothattheyarenotfocusedonwhetherthereisadeficiency,buton
identifying,assessing,andcorrectingdeficiencies.Itispresentedinthose
requirementsbymodifyingimplementasfollows:
EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,
andcorrectsdeficiencies,...
Thetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictothe
ResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyany
particularnamingorapprovalstructurebeyondwhatisstatedintherequirements.
Anentityshouldincludeasmuchasitbelievesnecessaryintheirdocumented
processes,buttheymustaddresstheapplicablerequirementsinthetable.The
CIP0101CyberSecurityConfigurationChangeManagementandVulnerability
Assessments
Page4of34
documentedprocessesthemselvesarenotrequiredtoincludethe...identifies,
assesses,andcorrectsdeficiencies,..."elementsdescribedinthepreceding
paragraph,asthoseaspectsarerelatedtothemannerofimplementationofthe
documentedprocessesandcouldbeaccomplishedthroughothercontrolsor
compliancemanagementactivities.
Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesses
whereitmakessenseandiscommonlyunderstood.Forexample,documented
processesdescribingaresponsearetypicallyreferredtoasplans(i.e.,incident
responseplansandrecoveryplans).Likewise,asecurityplancandescribean
approachinvolvingmultipleprocedurestoaddressabroadsubjectmatter.
Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationof
itspolicies,plansandproceduresinvolvingasubjectmatter.Examplesinthe
standardsincludethepersonnelriskassessmentprogramandthepersonneltraining
program.ThefullimplementationoftheCIPCyberSecurityStandardscouldalsobe
referredtoasaprogram.However,thetermsprogramandplandonotimplyany
additionalrequirementsbeyondwhatisstatedinthestandards.
ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsfor
multiplehighandmediumimpactBESCyberSystems.Forexample,asingletraining
programcouldmeettherequirementsfortrainingpersonnelacrossmultipleBES
CyberSystems.
Measuresfortheinitialrequirementaresimplythedocumentedprocesses
themselves.Measuresinthetablerowsprovideexamplesofevidencetoshow
documentationandimplementationofapplicableitemsinthedocumentedprocesses.
Thesemeasuresservetoprovideguidancetoentitiesinacceptablerecordsof
complianceandshouldnotbeviewedasanallinclusivelist.
Throughoutthestandards,unlessotherwisestated,bulleteditemsinthe
requirementsandmeasuresareitemsthatarelinkedwithanor,andnumbered
itemsareitemsthatarelinkedwithanand.
ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSand
UVLS.Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion
1oftheCIPCyberSecurityStandards.Thethresholdremainsat300MWsinceitis
specificallyaddressingUVLSandUFLS,whicharelastditcheffortstosavetheBulk
ElectricSystem.AreviewofUFLStolerancesdefinedwithinregionalreliability
standardsforUFLSprogramrequirementstodateindicatesthatthehistoricalvalueof
300MWrepresentsanadequateandreasonablethresholdvalueforallowableUFLS
operationaltolerances.
ApplicableSystemsColumnsinTables:
EachtablehasanApplicableSystemscolumntofurtherdefinethescopeof
systemstowhichaspecificrequirementrowapplies.TheCSO706SDTadaptedthis
conceptfromtheNationalInstituteofStandardsandTechnology(NIST)Risk
ManagementFrameworkasawayofapplyingrequirementsmoreappropriately
CIP0101CyberSecurityConfigurationChangeManagementandVulnerability
Assessments
Page5of34
basedonimpactandconnectivitycharacteristics.Thefollowingconventionsareused
intheapplicabilitycolumnasdescribed.
HighImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedas
highimpactaccordingtotheCIP0025identificationandcategorization
processes.
MediumImpactBESCyberSystemsAppliestoBESCyberSystemscategorized
asmediumimpactaccordingtotheCIP0025identificationandcategorization
processes.
ElectronicAccessControlorMonitoringSystems(EACMS)Appliestoeach
ElectronicAccessControlorMonitoringSystemassociatedwithareferenced
highimpactBESCyberSystemormediumimpactBESCyberSystem.Examples
mayinclude,butarenotlimitedto,firewalls,authenticationservers,andlog
monitoringandalertingsystems.
PhysicalAccessControlSystems(PACS)AppliestoeachPhysicalAccessControl
SystemassociatedwithareferencedhighimpactBESCyberSystemormedium
impactBESCyberSystemwithExternalRoutableConnectivity.
ProtectedCyberAssets(PCA)AppliestoeachProtectedCyberAsset
associatedwithareferencedhighimpactBESCyberSystemormediumimpact
BESCyberSystem
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page6of34
B. Requirements and Measures
R1. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0101TableR1
ConfigurationChangeManagement.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning].
M1. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0101TableR1ConfigurationChangeManagementandadditionalevidencetodemonstrate
implementationasdescribedintheMeasurescolumnofthetable.
CIP0101TableR1ConfigurationChangeManagement
Part ApplicableSystems Requirements Measures
1.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Developabaselineconfiguration,
individuallyorbygroup,whichshall
includethefollowingitems:
1.1.1. Operatingsystem(s)(including
version)orfirmwarewhereno
independentoperatingsystem
exists;
1.1.2. Anycommerciallyavailableor
opensourceapplication
software(includingversion)
intentionallyinstalled;
1.1.3. Anycustomsoftwareinstalled;
1.1.4. Anylogicalnetworkaccessible
ports;and
1.1.5. Anysecuritypatchesapplied.
Examplesofevidencemayinclude,but
arenotlimitedto:
Aspreadsheetidentifyingthe
requireditemsofthebaseline
configurationforeachCyberAsset,
individuallyorbygroup;or
Arecordinanassetmanagement
systemthatidentifiestherequired
itemsofthebaselineconfiguration
foreachCyberAsset,individuallyor
bygroup.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page7of34
CIP0101TableR1ConfigurationChangeManagement
Part ApplicableSystems Requirements Measures
1.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Authorizeanddocumentchangesthat
deviatefromtheexistingbaseline
configuration.
Examplesofevidencemayinclude,but
arenotlimitedto:
Achangerequestrecordand
associatedelectronicauthorization
(performedbytheindividualor
groupwiththeauthorityto
authorizethechange)inachange
managementsystemforeach
change;or
Documentationthatthechange
wasperformedinaccordancewith
therequirement.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page8of34
CIP0101TableR1ConfigurationChangeManagement
Part ApplicableSystems Requirements Measures
1.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Forachangethatdeviatesfromthe
existingbaselineconfiguration,update
thebaselineconfigurationasnecessary
within30calendardaysofcompleting
thechange.
Anexampleofevidencemayinclude,
butisnotlimitedto,updatedbaseline
documentationwithadatethatis
within30calendardaysofthedateof
thecompletionofthechange.
1.4 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Forachangethatdeviatesfromthe
existingbaselineconfiguration:
1.4.1. Priortothechange,determine
requiredcybersecuritycontrols
inCIP005andCIP007thatcould
beimpactedbythechange;
1.4.2. Followingthechange,verifythat
requiredcybersecuritycontrols
determinedin1.4.1arenot
adverselyaffected;and
1.4.3. Documenttheresultsofthe
verification.
Anexampleofevidencemayinclude,
butisnotlimitedto,alistofcyber
securitycontrolsverifiedortested
alongwiththedatedtestresults.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page9of34
CIP0101TableR1ConfigurationChangeManagement
Part ApplicableSystems Requirements Measures
1.5 HighImpactBESCyberSystems
Wheretechnicallyfeasible,foreach
changethatdeviatesfromtheexisting
baselineconfiguration:
1.5.1. Priortoimplementingany
changeintheproduction
environment,testthechanges
inatestenvironmentortestthe
changesinaproduction
environmentwherethetestis
performedinamannerthat
minimizesadverseeffects,that
modelsthebaseline
configurationtoensurethat
requiredcybersecuritycontrols
inCIP005andCIP007arenot
adverselyaffected;and
1.5.2. Documenttheresultsofthe
testingand,ifatest
environmentwasused,the
differencesbetweenthetest
environmentandtheproduction
environment,includinga
descriptionofthemeasures
usedtoaccountforany
differencesinoperation
betweenthetestand
productionenvironments.
Anexampleofevidencemayinclude,
butisnotlimitedto,alistofcyber
securitycontrolstestedalongwith
successfultestresultsandalistof
differencesbetweentheproduction
andtestenvironmentswith
descriptionsofhowanydifferences
wereaccountedfor,includingofthe
dateofthetest.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page10of34
R2. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedprocessesthatcollectivelyincludeeachoftheapplicablerequirementpartsinCIP0101TableR2Configuration
Monitoring.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning].
M2. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0101TableR2ConfigurationMonitoringandadditionalevidencetodemonstrateimplementation
asdescribedintheMeasurescolumnofthetable.
CIP0101TableR2ConfigurationMonitoring
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PCA
Monitoratleastonceevery35calendar
daysforchangestothebaseline
configuration(asdescribedin
RequirementR1,Part1.1).Document
andinvestigatedetectedunauthorized
changes.
Anexampleofevidencemayinclude,
butisnotlimitedto,logsfroma
systemthatismonitoringthe
configurationalongwithrecordsof
investigationforanyunauthorized
changesthatweredetected.
R3. EachResponsibleEntityshallimplementoneormoredocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0101TableR3VulnerabilityAssessments.[ViolationRiskFactor:Medium][TimeHorizon:Longterm
PlanningandOperationsPlanning]
M3.Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0101TableR3VulnerabilityAssessmentsandadditionalevidencetodemonstrateimplementation
asdescribedintheMeasurescolumnofthetable.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page11of34
CIP0101TableR3VulnerabilityAssessments
Part ApplicableSystems Requirements Measures
3.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Atleastonceevery15calendar
months,conductapaperoractive
vulnerabilityassessment.
Examplesofevidencemayinclude,but
arenotlimitedto:
Adocumentlistingthedateofthe
assessment(performedatleast
onceevery15calendarmonths),
thecontrolsassessedforeachBES
CyberSystemalongwiththe
methodofassessment,;or
Adocumentlistingthedateofthe
assessmentandtheoutputofany
toolsusedtoperformthe
assessment.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page12of34
CIP0101TableR3VulnerabilityAssessments
Part ApplicableSystems Requirements Measures
3.2 HighImpactBESCyberSystems
Wheretechnicallyfeasible,atleast
onceevery36calendarmonths:
3.2.1 Performanactivevulnerability
assessmentinatest
environment,orperforman
activevulnerabilityassessment
inaproductionenvironment
wherethetestisperformedin
amannerthatminimizes
adverseeffects,thatmodels
thebaselineconfigurationof
theBESCyberSystemina
productionenvironment;and
3.2.2 Documenttheresultsofthe
testingand,ifatest
environmentwasused,the
differencesbetweenthetest
environmentandthe
productionenvironment,
includingadescriptionofthe
measuresusedtoaccountfor
anydifferencesinoperation
betweenthetestand
productionenvironments.
Anexampleofevidencemayinclude,
butisnotlimitedto,adocument
listingthedateoftheassessment
(performedatleastonceevery36
calendarmonths),theoutputofthe
toolsusedtoperformtheassessment,
andalistofdifferencesbetweenthe
productionandtestenvironments
withdescriptionsofhowany
differenceswereaccountedforin
conductingtheassessment.
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page13of34
CIP0101TableR3VulnerabilityAssessments
Part ApplicableSystems Requirements Measures
3.3 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PCA
PriortoaddinganewapplicableCyber
Assettoaproductionenvironment,
performanactivevulnerability
assessmentofthenewCyberAsset,
exceptforCIPExceptional
Circumstancesandlikereplacements
ofthesametypeofCyberAssetwitha
baselineconfigurationthatmodelsan
existingbaselineconfigurationofthe
previousorotherexistingCyberAsset.
Anexampleofevidencemayinclude,
butisnotlimitedto,adocument
listingthedateoftheassessment
(performedpriortothe
commissioningofthenewCyber
Asset)andtheoutputofanytools
usedtoperformtheassessment.
3.4 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Documenttheresultsofthe
assessmentsconductedaccordingto
Parts3.1,3.2,and3.3andtheaction
plantoremediateormitigate
vulnerabilitiesidentifiedinthe
assessmentsincludingtheplanned
dateofcompletingtheactionplanand
theexecutionstatusofany
remediationormitigationaction
items.
Anexampleofevidencemayinclude,
butisnotlimitedto,adocument
listingtheresultsorthereviewor
assessment,alistofactionitems,
documentedproposeddatesof
completionfortheactionplan,and
recordsofthestatusoftheaction
items(suchasminutesofastatus
meeting,updatesinaworkorder
system,oraspreadsheettrackingthe
actionitems).
CIP0101CyberSecurityConfigurationChangeManagementandVulnerability
Assessments
Page14of34
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)
unlesstheapplicableentityisowned,operated,orcontrolledbytheRegional
Entity.InsuchcasestheEROoraRegionalEntityapprovedbyFERCorother
applicablegovernmentalauthorityshallserveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityis
requiredtoretainspecificevidencetodemonstratecompliance.Forinstances
wheretheevidenceretentionperiodspecifiedbelowisshorterthanthetime
sincethelastaudit,theCEAmayaskanentitytoprovideotherevidencetoshow
thatitwascompliantforthefulltimeperiodsincethelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceas
identifiedbelowunlessdirectedbyitsCEAtoretainspecificevidencefora
longerperiodoftimeaspartofaninvestigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthis
standardforthreecalendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformation
relatedtothenoncomplianceuntilmitigationiscompleteandapprovedor
forthetimespecifiedabove,whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmitted
subsequentauditrecords.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page15of34
2.TableofComplianceElements
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
R1 Operations
Planning
Medium TheResponsible
Entityhas
documentedand
implementeda
configuration
change
management
process(es)that
includesonlyfourof
therequired
baselineitemslisted
in1.1.1through
1.1.5.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configuration
change
management
process(es)that
includesallofthe
requiredbaseline
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesonlythree
oftherequired
baselineitemslisted
in1.1.1through
1.1.5.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesfourofthe
requiredbaseline
itemslistedin1.1.1
through1.1.5and
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesonlytwoof
therequiredbaseline
itemslistedin1.1.1
through1.1.5.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesthreeofthe
requiredbaseline
itemslistedin1.1.1
through1.1.5and
identified
TheResponsible
Entityhasnot
documentedor
implementedany
configurationchange
management
process(es).(R1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesonlyoneof
therequiredbaseline
itemslistedin1.1.1
through1.1.5.(1.1)
OR
TheResponsible
Entityhas
documentedand
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page16of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
itemslistedin1.1.1
through1.1.5and
identified
deficienciesbutdid
notassessand
correctthe
deficiencies.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configuration
change
management
process(es)that
includesallofthe
requiredbaseline
itemslistedin1.1.1
through1.1.5but
didnotidentify,
assess,andcorrect
thedeficiencies.
(1.1)
OR
TheResponsible
identified
deficienciesbutdid
notassessand
correctthe
deficiencies.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesfourofthe
requiredbaseline
itemslistedin1.1.1
through1.1.5but
didnotidentify,
assess,andcorrect
thedeficiencies.
(1.1)
OR
TheResponsible
Entityhasa
process(es)to
determinerequired
deficienciesbutdid
notassessand
correctthe
deficiencies.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includesthreeofthe
requiredbaseline
itemslistedin1.1.1
through1.1.5butdid
notidentify,assess,
andcorrectthe
deficiencies.(1.1)
OR
TheResponsible
Entityhasa
process(es)that
requires
authorizationand
documentationfor
implementeda
configurationchange
management
process(es)that
includestwoorfewer
oftherequired
baselineitemslisted
in1.1.1through1.1.5
andidentified
deficienciesbutdid
notassessand
correctthe
deficiencies.(1.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
configurationchange
management
process(es)that
includestwoorfewer
oftherequired
baselineitemslisted
in1.1.1through1.1.5
butdidnotidentify,
assess,andcorrect
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page17of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
Entityhasa
process(es)to
performstepsin
1.4.1and1.4.2fora
change(s)that
deviatesfromthe
existingbaseline
configurationand
identified
deficienciesinthe
verification
documentationbut
didnotassessor
correctthe
deficiencies.(1.4.3)
OR
TheResponsible
Entityhasa
process(es)to
performstepsin
1.4.1and1.4.2fora
change(s)that
deviatesfromthe
existingbaseline
configurationbut
didnotidentify,
assess,orcorrect
securitycontrolsin
CIP005andCIP007
thatcouldbe
impactedbya
change(s)that
deviatesfromthe
existingbaseline
configurationand
identified
deficienciesinthe
determinationof
affectedsecurity
controls,butdidnot
assess,orcorrectthe
deficiencies.(1.4.1)
OR
TheResponsible
Entityhasa
process(es)to
determinerequired
securitycontrolsin
CIP005andCIP007
thatcouldbe
impactedbya
change(s)that
deviatesfromthe
existingbaseline
changesthatdeviate
fromtheexisting
baseline
configurationand
identified
deficienciesbutdid
notassessorcorrect
thedeficiencies.(1.2)
OR
TheResponsible
Entityhasa
process(es)that
requires
authorizationand
documentationfor
changesthatdeviate
fromtheexisting
baseline
configurationbutdid
notidentify,assess,
orcorrectthe
deficiencies.(1.2)
OR
TheResponsible
Entityhasa
process(es)toupdate
thedeficiencies.(1.1)
OR
TheResponsible
Entitydoesnothave
aprocess(es)that
requires
authorizationand
documentationof
changesthatdeviate
fromtheexisting
baseline
configuration.(1.2)
OR
TheResponsible
Entitydoesnothave
aprocess(es)to
updatebaseline
configurationswithin
30calendardaysof
completinga
change(s)that
deviatesfromthe
existingbaseline
configuration.(1.3)
OR
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page18of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
thedeficienciesin
theverification
documentation.
(1.4.3)
configurationbutdid
notidentify,assess,
orcorrectthe
deficienciesinthe
determinationof
affectedsecurity
controls.(1.4.1)
baseline
configurationswithin
30calendardaysof
completinga
change(s)that
deviatesfromthe
existingbaseline
configurationand
identified
deficienciesbutdid
notassessorcorrect
thedeficiencies.(1.3)
OR
TheResponsible
Entityhasa
process(es)toupdate
baseline
configurationswithin
30calendardaysof
completinga
change(s)that
deviatesfromthe
existingbaseline
configurationbutdid
notidentify,assess,
orcorrectthe
TheResponsible
Entitydoesnothave
aprocess(es)to
determinerequired
securitycontrolsin
CIP005andCIP007
thatcouldbe
impactedbya
change(s)that
deviatesfromthe
existingbaseline
configuration.(1.4.1)
OR
TheResponsible
Entityhasa
process(es)to
determinerequired
securitycontrolsin
CIP005andCIP007
thatcouldbe
impactedbya
change(s)that
deviatesfromthe
existingbaseline
configurationbutdid
notverifyand
documentthatthe
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page19of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
deficiencies.(1.3)
OR
TheResponsible
Entityhasa
process(es)toverify
thatrequired
securitycontrolsin
CIP005andCIP007
arenotadversely
affectedbya
change(s)that
deviatesfromthe
existingbaseline
configurationand
identified
deficienciesin
requiredcontrols,
butdidnotassess,or
correctthe
deficiencies.(1.4.2)
OR
TheResponsible
Entityhasa
process(es)toverify
thatrequired
securitycontrolsin
requiredcontrols
werenotadversely
affectedfollowingthe
change.(1.4.2&
1.4.3)
OR
TheResponsible
Entitydoesnothave
aprocessfortesting
changesinan
environmentthat
modelsthebaseline
configurationpriorto
implementinga
changethatdeviates
frombaseline
configuration.(1.5.1)
OR
TheResponsible
Entitydoesnothave
aprocessto
documentthetest
resultsand,ifusinga
testenvironment,
documentthe
differencesbetween
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page20of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
CIP005andCIP007
arenotadversely
affectedbya
change(s)that
deviatesfromthe
existingbaseline
configurationbutdid
notidentify,assess,
orcorrectthe
deficienciesinthe
requiredcontrols.
(1.4.2)
OR
TheResponsible
Entityhasaprocess
fortestingchangesin
anenvironmentthat
modelsthebaseline
configurationpriorto
implementinga
changethatdeviates
frombaseline
configuration,and
identified
deficienciesbutdid
notassessorcorrect
thedeficiencies.
thetestand
production
environments.(1.5.2)
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page21of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
(1.5.1)
OR
TheResponsible
Entityhasaprocess
fortestingchangesin
anenvironmentthat
modelsthebaseline
configurationpriorto
implementinga
changethatdeviates
frombaseline
configurationbutdid
notidentify,assess,
orcorrectthe
deficiencies.(1.5.1)
OR
TheResponsible
Entityhasaprocess
todocumentthetest
resultsand,ifusinga
testenvironment,
documentthe
differencesbetween
thetestand
production
environmentsand
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page22of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
identified
deficienciesbutdid
notassessorcorrect
thedeficiencies.
(1.5.2)
OR
TheResponsible
Entityhasaprocess
todocumentthetest
resultsand,ifusinga
testenvironment,
documentthe
differencesbetween
thetestand
production
environments,but
didnotidentify,
assess,orcorrectthe
deficiencies.(1.5.2)
R2 Operations
Planning
Medium N/A N/A N/A TheResponsible
Entityhasnot
documentedor
implementeda
process(es)to
monitorfor,
investigate,and
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page23of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
documentdetected
unauthorizedchanges
tothebaselineat
leastonceevery35
calendardays.(2.1)
OR
TheResponsible
Entityhas
documentedand
implementeda
process(es)to
monitorfor,
investigate,and
documentdetected
unauthorizedchanges
tothebaselineat
leastonceevery35
calendardaysand
identifieddeficiencies
butdidnotassessor
correctthe
deficiencies.(2.1)
OR
TheResponsible
Entityhas
documentedand
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page24of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
implementeda
process(es)to
monitorfor,
investigate,and
documentdetected
unauthorizedchanges
tothebaselineat
leastonceevery35
calendardaysbutdid
notidentify,assess,
orcorrectthe
deficiencies.(2.1)
R3 Longterm
Planning
and
Operations
Planning
Medium TheResponsible
Entityhas
implementedone
ormore
documented
vulnerability
assessment
processesforeach
ofitsapplicableBES
CyberSystems,but
hasperformeda
vulnerability
assessmentmore
than15months,
butlessthan18
TheResponsible
Entityhas
implementedoneor
moredocumented
vulnerability
assessment
processesforeachof
itsapplicableBES
CyberSystems,but
hasperformeda
vulnerability
assessmentmore
than18months,but
lessthan21,months
sincethelast
TheResponsible
Entityhas
implementedoneor
moredocumented
vulnerability
assessment
processesforeachof
itsapplicableBES
CyberSystems,but
hasperformeda
vulnerability
assessmentmore
than21months,but
lessthan24months,
sincethelast
TheResponsible
Entityhasnot
implementedany
vulnerability
assessmentprocesses
foroneofits
applicableBESCyber
Systems.(R3)
OR
TheResponsible
Entityhas
implementedoneor
moredocumented
vulnerability
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page25of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
months,sincethe
lastassessmenton
oneofitsapplicable
BESCyberSystems.
(3.1)
OR
TheResponsible
Entityhas
implementedone
ormore
documentedactive
vulnerability
assessment
processesfor
ApplicableSystems,
buthasperformed
anactive
vulnerability
assessmentmore
than36months,
butlessthan39
months,sincethe
lastactive
assessmentonone
ofitsapplicableBES
CyberSystems.
assessmentonone
ofitsapplicableBES
CyberSystems.(3.1)
OR
TheResponsible
Entityhas
implementedoneor
moredocumented
activevulnerability
assessment
processesfor
ApplicableSystems,
buthasperformed
anactive
vulnerability
assessmentmore
than39months,but
lessthan42months,
sincethelastactive
assessmentonone
ofitsapplicableBES
CyberSystems.(3.2)
assessmentononeof
itsapplicableBES
CyberSystems.(3.1)
OR
TheResponsible
Entityhas
implementedoneor
moredocumented
activevulnerability
assessment
processesfor
ApplicableSystems,
buthasperformed
anactive
vulnerability
assessmentmore
than42months,but
lessthan45months,
sincethelastactive
assessmentononeof
itsapplicableBES
CyberSystems.(3.2)
assessmentprocesses
foreachofits
applicableBESCyber
Systems,buthas
performeda
vulnerability
assessmentmore
than24monthssince
thelastassessment
ononeofits
applicableBESCyber
Systems.(3.1)
OR
TheResponsible
Entityhas
implementedoneor
moredocumented
activevulnerability
assessmentprocesses
forApplicable
Systems,buthas
performedanactive
vulnerability
assessmentmore
than45monthssince
thelastactive
assessmentononeof
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page26of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
(3.2)
itsapplicableBES
CyberSystems.(3.2)
OR
TheResponsible
Entityhas
implementedand
documentedoneor
morevulnerability
assessmentprocesses
foreachofits
applicableBESCyber
Systems,butdidnot
performtheactive
vulnerability
assessmentina
mannerthatmodels
anexistingbaseline
configurationofits
applicableBESCyber
Systems.(3.3)
OR
TheResponsible
Entityhas
implementedoneor
moredocumented
vulnerability
CIP0101CyberSecurityConfigurationChangeManagementandVulnerabilityAssessments
Page27of34
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0101)
LowerVSL ModerateVSL HighVSL SevereVSL
assessmentprocesses
foreachofits
applicableBESCyber
Systems,buthasnot
documentedthe
resultsofthe
vulnerability
assessments,the
actionplansto
remediateormitigate
vulnerabilities
identifiedinthe
assessments,the
planneddateof
completionofthe
actionplan,andthe
executionstatusof
themitigationplans.
(3.4)
GuidelinesandTechnicalBasis
Page28of34
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
GuidelinesandTechnicalBasis
Page29of34
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
BaselineConfiguration
TheconceptofestablishingaCyberAssetsbaselineconfigurationismeanttoprovideclarityon
requirementlanguagefoundinpreviousCIPstandardversions.Modificationofanyitemwithin
anapplicableCyberAssetsbaselineconfigurationprovidesthetriggeringmechanismforwhen
entitiesmustapplychangemanagementprocesses.
BaselineconfigurationsinCIP010consistoffivedifferentitems:Operatingsystem/firmware,
commerciallyavailablesoftwareoropensourceapplicationsoftware,customsoftware,logical
networkaccessibleportidentification,andsecuritypatches.Operatingsysteminformation
identifiesthesoftwareandversionthatisinuseontheCyberAsset.Incaseswherean
independentoperatingsystemdoesnotexist(suchasforaprotectiverelay),thenfirmware
informationshouldbeidentified.Commerciallyavailableoropensourceapplicationsoftware
identifiesapplicationsthatwereintentionallyinstalledonthecyberasset.Theuseoftheterm
intentionalwasmeanttoensurethatonlysoftwareapplicationsthatweredeterminedtobe
necessaryforCyberAssetuseshouldbeincludedinthebaselineconfiguration.TheSDTdoes
notintendfornotepad,calculator,DLL,devicedrivers,orotherapplicationsincludedinan
operatingsystempackageascommerciallyavailableoropensourceapplicationsoftwaretobe
GuidelinesandTechnicalBasis
Page30of34
included.Customsoftwareinstalledmayincludescriptsdevelopedforlocalentityfunctionsor
othercustomsoftwaredevelopedforaspecifictaskorfunctionfortheentitysuse.If
additionalsoftwarewasintentionallyinstalledandisnotcommerciallyavailableoropen
source,thenthissoftwarecouldbeconsideredcustomsoftware.Ifaspecificdeviceneedsto
communicatewithanotherdeviceoutsidethenetwork,communicationsneedtobelimitedto
onlythedevicesthatneedtocommunicatepertherequirementinCIP0075.Thoseports
whichareaccessibleneedtobeincludedinthebaseline.Securitypatchesappliedwould
includeallhistoricalandcurrentpatchesthathavebeenappliedonthecyberasset.WhileCIP
0075R2.1requiresentitiestotrack,evaluate,andinstallsecuritypatches,CIP010R1.1.5
requiresentitiestolistallappliedhistoricalandcurrentpatches.
Furtherguidancecanbeunderstoodwiththefollowingexamplethatdetailsthebaseline
configurationforaserialonlymicroprocessorrelay:
Asset#051028atSubstationAlpha
R1.1.1Firmware:[MANUFACTURER][MODEL]XYZ1234567890ABC
R1.1.2NotApplicable
R1.1.3NotApplicable
R1.1.4NotApplicable
R1.1.5Patch12345,Patch67890,Patch34567,Patch437823
Also,foratypicalITsystem,thebaselineconfigurationcouldreferenceanITstandardthat
includesconfigurationdetails.AnentitywouldbeexpectedtoprovidethatITstandardaspart
oftheircomplianceevidence.
CyberSecurityControls
Theuseofcybersecuritycontrolsrefersspecificallytocontrolsreferencedandapplied
accordingtoCIP005andCIP007.Theconceptpresentedintherelevantrequirementsub
partsinCIP010R1isthatanentityistoidentify/verifycontrolsfromCIP005andCIP007that
couldbeimpactedforachangethatdeviatesfromtheexistingbaselineconfiguration.TheSDT
doesnotintendforResponsibleEntitiestoidentify/verifyallcontrolslocatedwithinCIP005
andCIP007foreachchange.TheResponsibleEntityisonlytoidentify/verifythosecontrol(s)
thatcouldbeaffectedbythebaselineconfigurationchange.Forexample,changesthataffect
logicalnetworkportswouldonlyinvolveCIP007R1(PortsandServices),whilechangesthat
affectsecuritypatcheswouldonlyinvolveCIP007R2(SecurityPatchManagement).TheSDT
chosenottoidentifythespecificrequirementsfromCIP005andCIP007inCIP010languageas
theintentoftherelatedrequirementsistobeabletoidentify/verifyanyofthecontrolsin
thosestandardsthatareaffectedasaresultofachangetothebaselineconfiguration.TheSDT
believesitpossiblethatallrequirementsfromCIP005andCIP007maybeidentifiedfora
GuidelinesandTechnicalBasis
Page31of34
majorchangetothebaselineconfiguration,andtherefore,CIP005andCIP007wascitedatthe
standardlevelversustherequirementlevel.
TestEnvironment
TheControlCentertestenvironment(orproductionenvironmentwherethetestisperformed
inamannerthatminimizesadverseeffects)shouldmodelthebaselineconfiguration,butmay
haveadifferentsetofcomponents.Forinstance,anentitymayhaveaBESCyberSystemthat
runsadatabaseononecomponentandawebserveronanothercomponent.Thetest
environmentmayhavethesameoperatingsystem,securitypatches,networkaccessibleports,
andsoftware,buthaveboththedatabaseandwebserverrunningonasinglecomponent
insteadofmultiplecomponents.
Additionally,theResponsibleEntityshouldnotethatwhereveratestenvironment(or
productionenvironmentwherethetestisperformedinamannerthatminimizesadverse
effects)ismentioned,therequirementistomodelthebaselineconfigurationandnot
duplicateitexactly.Thislanguagewaschosendeliberatelyinordertoallowforindividual
elementsofaBESCyberSystemataControlCentertobemodeledthatmaynototherwisebe
abletobereplicatedorduplicatedexactly;suchas,butnotlimitedto,alegacymapboard
controllerorthenumerousdatacommunicationlinksfromthefieldortootherControlCenters
(suchasbyICCP).
RequirementR2:
TheSDTsintentofR2istorequireautomatedmonitoringoftheBESCyberSystem.However,
theSDTunderstandsthattheremaybesomeCyberAssetswhereautomatedmonitoringmay
notbepossible(suchasaGPStimeclock).Forthatreason,automatedtechnicalmonitoring
wasnotexplicitlyrequired,andaResponsibleEntitymaychoosetoaccomplishthis
requirementthroughmanualproceduralcontrols.
RequirementR3:
TheResponsibleEntityshouldnotethattherequirementprovidesadistinctionbetweenpaper
andactivevulnerabilityassessments.Thejustificationforthisdistinctioniswelldocumentedin
FERCOrderNo.706anditsassociatedNoticeofProposedRulemaking.Indevelopingtheir
vulnerabilityassessmentprocesses,ResponsibleEntitiesarestronglyencouragedtoincludeat
leastthefollowingelements,severalofwhicharereferencedinCIP005andCIP007:
PaperVulnerabilityAssessment:
1. NetworkDiscoveryAreviewofnetworkconnectivitytoidentifyallElectronicAccess
PointstotheElectronicSecurityPerimeter.
2. NetworkPortandServiceIdentificationAreviewtoverifythatallenabledportsand
serviceshaveanappropriatebusinessjustification.
GuidelinesandTechnicalBasis
Page32of34
3. VulnerabilityReviewAreviewofsecurityrulesetsandconfigurationsincluding
controlsfordefaultaccounts,passwords,andnetworkmanagementcommunitystrings.
4. WirelessReviewIdentificationofcommontypesofwirelessnetworks(suchas
802.11a/b/g/n)andareviewoftheircontrolsiftheyareinanywayusedforBESCyber
Systemcommunications.
ActiveVulnerabilityAssessment:
1. NetworkDiscoveryUseofactivediscoverytoolstodiscoveractivedevicesandidentify
communicationpathsinordertoverifythatthediscoverednetworkarchitecture
matchesthedocumentedarchitecture.
2. NetworkPortandServiceIdentificationUseofactivediscoverytools(suchasNmap)
todiscoveropenportsandservices.
3. VulnerabilityScanningUseofavulnerabilityscanningtooltoidentifynetwork
accessibleportsandservicesalongwiththeidentificationofknownvulnerabilities
associatedwithservicesrunningonthoseports.
4. WirelessScanningUseofawirelessscanningtooltodiscoverwirelesssignalsand
networksinthephysicalperimeterofaBESCyberSystem.Servestoidentify
unauthorizedwirelessdeviceswithintherangeofthewirelessscanningtool.
Inaddition,ResponsibleEntitiesarestronglyencouragedtoreviewNISTSP800115for
additionalguidanceonhowtoconductavulnerabilityassessment.
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
Theconfigurationchangemanagementprocessesareintendedtopreventunauthorized
modificationstoBESCyberSystems.
Referencetopriorversion:(Part1.1)NewRequirement
ChangeRationale:(Part1.1)
ThebaselineconfigurationrequirementwasincorporatedfromtheDHSCatalogforControl
SystemsSecurity.Thebaselinerequirementisalsointendedtoclarifypreciselywhenachange
managementprocessmustbeinvokedandwhichelementsoftheconfigurationmustbe
examined.
Referencetopriorversion:(Part1.2)CIP0073,R9;CIP0033,R6
GuidelinesandTechnicalBasis
Page33of34
ChangeRationale:(Part1.2)
TheSDTaddedrequirementtoexplicitlyauthorizechanges.Thisrequirementwaspreviously
impliedbyCIP0033,RequirementR6.
Referencetopriorversion:(Part1.3)CIP0073,R9;CIP0053,R5
ChangeRationale:(Part1.3)
DocumentmaintenancerequirementduetoaBESCyberSystemchangeisequivalenttothe
requirementsinthepreviousversionsofthestandard.
Referencetopriorversion:(Part1.4)CIP0073,R1
ChangeRationale:(Part1.4)
TheSDTattemptedtoprovideclarityonwhentestingmustoccurandremovedrequirementfor
specifictestproceduresbecauseitisimplicitintheperformanceoftherequirement.
Referencetopriorversion:(Part1.5)CIP0073,R1
ChangeRationale:(Part1.5)
Thisrequirementprovidesclarityonwhentestingmustoccurandrequiresadditionaltestingto
ensurethataccidentalconsequencesofplannedchangesareappropriatelymanaged.
ThischangeaddressesFERCOrderNo.706,Paragraphs397,609,610,and611.
RationaleforR2:
Theconfigurationmonitoringprocessesareintendedtodetectunauthorizedmodificationsto
BESCyberSystems.
Referencetopriorversion:(Part2.1)NewRequirement
ChangeRationale:(Part2.1)
ThemonitoringoftheconfigurationoftheBESCyberSystemprovidesanexpress
acknowledgementoftheneedtoconsidermaliciousactionsalongwithintentionalchanges.
ThisrequirementwasaddedafterreviewoftheDHSCatalogofControlSystemSecurityandto
addressFERCOrderNo.706,Paragraph397.
ThirtyfiveCalendardaysallowsforaonceamonthfrequencywithslightflexibilitytoaccount
formonthswith31daysorforbeginningorendingsofmonthsonweekends.
RationaleforR3:
Thevulnerabilityassessmentprocessesareintendedtoactasacomponentinanoverall
programtoperiodicallyensuretheproperimplementationofcybersecuritycontrolsaswellas
tocontinuallyimprovethesecuritypostureofBESCyberSystems.
GuidelinesandTechnicalBasis
Page34of34
Thevulnerabilityassessmentperformedforthisrequirementmaybeacomponentof
deficiencyidentification,assessment,andcorrection.
Referencetopriorversion:(Part3.1)CIP0054,R4;CIP0074,R8
ChangeRationale:(Part3.1)
AssuggestedinFERCOrderNo.706,Paragraph644,thedetailsforwhatshouldbeincludedin
theassessmentarelefttoguidance.
Referencetopriorversion:(Part3.2)NewRequirement
ChangeRationale:(Part3.2)
FERCOrderNo.706,Paragraphs541,542,543,544,545,and547.
AssuggestedinFERCOrderNo.706,Paragraph644,thedetailsforwhatshouldbeincludedin
theassessmentarelefttoguidance.
Referencetopriorversion:(Part3.3)NewRequirement
ChangeRationale:(Part3.3)
FERCOrderNo.706,Paragraphs541,542,543,544,545,and547.
Referencetopriorversion:(Part3.4)CIP0053,R4.5;CIP0073,R8.4
ChangeRationale:(Part3.4)
AddedarequirementforanentityplanneddateofcompletionasperthedirectiveinFERCOrder
No.706,Paragraph643.
Version History
Version Date Action ChangeTracking
1 11/26/12 AdoptedbytheNERCBoardof
Trustees.
Developedto
definethe
configuration
change
managementand
vulnerability
assessment
requirementsin
coordinationwith
otherCIP
standardsandto
addressthe
balanceofthe
FERCdirectivesin
itsOrder706.
CIP0111CyberSecurityInformationProtection
Page1of21
A. I ntroduction
1. Title: CyberSecurityInformationProtection
2. Number: CIP0111
3. Purpose: TopreventunauthorizedaccesstoBESCyberSystemInformationby
specifyinginformationprotectionrequirementsinsupportofprotecting
BESCyberSystemsagainstcompromisethatcouldleadtomisoperation
orinstabilityintheBES.
4. Applicability:
4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,the
followinglistoffunctionalentitieswillbecollectivelyreferredtoasResponsible
Entities.Forrequirementsinthisstandardwhereaspecificfunctionalentityor
subsetoffunctionalentitiesaretheapplicableentityorentities,thefunctionalentity
orentitiesarespecifiedexplicitly.
4.1.1 BalancingAuthority
4.1.2 DistributionProviderthatownsoneormoreofthefollowingFacilities,systems,
andequipmentfortheprotectionorrestorationoftheBES:
4.1.2.1 EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding
(UVLS)systemthat:
4.1.2.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.1.2.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.1.2.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.1.2.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.1.2.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.1.3 GeneratorOperator
4.1.4 GeneratorOwner
4.1.5 InterchangeCoordinatororInterchangeAuthority
4.1.6 ReliabilityCoordinator
CIP0111CyberSecurityInformationProtection
Page2of21
4.1.7 TransmissionOperator
4.1.8 TransmissionOwner
4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowing
Facilities,systems,andequipmentownedbyeachResponsibleEntityin4.1above
arethosetowhichtheserequirementsareapplicable.Forrequirementsinthis
standardwhereaspecifictypeofFacilities,system,orequipmentorsubsetof
Facilities,systems,andequipmentareapplicable,thesearespecifiedexplicitly.
4.2.1 DistributionProvider:OneormoreofthefollowingFacilities,systemsand
equipmentownedbytheDistributionProviderfortheprotectionorrestoration
oftheBES:
4.2.1.1 EachUFLSorUVLSSystemthat:
4.2.1.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard;and
4.2.1.1.2 performsautomaticLoadsheddingunderacommoncontrolsystem
ownedbytheResponsibleEntity,withouthumanoperatorinitiation,
of300MWormore.
4.2.1.2 EachSpecialProtectionSystemorRemedialActionSchemewherethe
SpecialProtectionSystemorRemedialActionSchemeissubjecttooneor
morerequirementsinaNERCorRegionalReliabilityStandard.
4.2.1.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliesto
TransmissionwheretheProtectionSystemissubjecttooneormore
requirementsinaNERCorRegionalReliabilityStandard.
4.2.1.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitching
requirementsfromaBlackstartResourceuptoandincludingthefirst
interconnectionpointofthestartingstationserviceofthenextgeneration
unit(s)tobestarted.
4.2.2 ResponsibleEntitieslistedin4.1otherthanDistributionProviders:
AllBESFacilities.
4.2.3 Exemptions:ThefollowingareexemptfromStandardCIP0111:
4.2.3.1 CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafety
Commission.
4.2.3.2 CyberAssetsassociatedwithcommunicationnetworksanddata
communicationlinksbetweendiscreteElectronicSecurityPerimeters.
4.2.3.3 Thesystems,structures,andcomponentsthatareregulatedbytheNuclear
RegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.
Section73.54.
CIP0111CyberSecurityInformationProtection
Page3of21
4.2.3.4 ForDistributionProviders,thesystemsandequipmentthatarenotincluded
insection4.2.1above.
4.2.3.5 ResponsibleEntitiesthatidentifythattheyhavenoBESCyberSystems
categorizedashighimpactormediumimpactaccordingtotheCIP0025
identificationandcategorizationprocesses.
5.EffectiveDates:
1.24MonthsMinimumCIP0111shallbecomeeffectiveonthelaterofJuly1,
2015,orthefirstcalendardayoftheninthcalendarquarteraftertheeffectivedateof
theorderprovidingapplicableregulatoryapproval.
2.Inthosejurisdictionswherenoregulatoryapprovalisrequired,CIP0111shall
becomeeffectiveonthefirstdayoftheninthcalendarquarterfollowingBoardof
Trusteesapproval,orasotherwisemadeeffectivepursuanttothelawsapplicableto
suchEROgovernmentalauthorities.
6.Background:
StandardCIP0111existsaspartofasuiteofCIPStandardsrelatedtocybersecurity.
CIP0025requirestheinitialidentificationandcategorizationofBESCyberSystems.
CIP0035,CIP0045,CIP0055,CIP0065,CIP0075,CIP0085,CIP0095,CIP0101,
andCIP0111requireaminimumleveloforganizational,operational,andprocedural
controlstomitigaterisktoBESCyberSystems.ThissuiteofCIPStandardsisreferred
toastheVersion5CIPCyberSecurityStandards.
Mostrequirementsopenwith,EachResponsibleEntityshallimplementoneormore
documented[processes,plan,etc]thatincludetheapplicableitemsin[Table
Reference].Thereferencedtablerequirestheapplicableitemsintheproceduresfor
therequirementscommonsubjectmatter.
TheSDThasincorporatedwithinthisstandardarecognitionthatcertainrequirements
shouldnotfocusonindividualinstancesoffailureasasolebasisforviolatingthe
standard.Inparticular,theSDThasincorporatedanapproachtoempowerand
enabletheindustrytoidentify,assess,andcorrectdeficienciesintheimplementation
ofcertainrequirements.Theintentistochangethebasisofaviolationinthose
requirementssothattheyarenotfocusedonwhetherthereisadeficiency,buton
identifying,assessing,andcorrectingdeficiencies.Itispresentedinthose
requirementsbymodifyingimplementasfollows:
EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,
andcorrectsdeficiencies,...
Thetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictothe
ResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyany
particularnamingorapprovalstructurebeyondwhatisstatedintherequirements.
Anentityshouldincludeasmuchasitbelievesnecessaryintheirdocumented
CIP0111CyberSecurityInformationProtection
Page4of21
processes,buttheymustaddresstheapplicablerequirementsinthetable.The
documentedprocessesthemselvesarenotrequiredtoincludethe...identifies,
assesses,andcorrectsdeficiencies,..."elementsdescribedinthepreceding
paragraph,asthoseaspectsarerelatedtothemannerofimplementationofthe
documentedprocessesandcouldbeaccomplishedthroughothercontrolsor
compliancemanagementactivities.
Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesses
whereitmakessenseandiscommonlyunderstood.Forexample,documented
processesdescribingaresponsearetypicallyreferredtoasplans(i.e.,incident
responseplansandrecoveryplans).Likewise,asecurityplancandescribean
approachinvolvingmultipleprocedurestoaddressabroadsubjectmatter.
Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationof
itspolicies,plansandproceduresinvolvingasubjectmatter.Examplesinthe
standardsincludethepersonnelriskassessmentprogramandthepersonneltraining
program.ThefullimplementationoftheCIPCyberSecurityStandardscouldalsobe
referredtoasaprogram.However,thetermsprogramandplandonotimplyany
additionalrequirementsbeyondwhatisstatedinthestandards.
ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsfor
multiplehighandmediumimpactBESCyberSystems.Forexample,asingletraining
programcouldmeettherequirementsfortrainingpersonnelacrossmultipleBES
CyberSystems.
Measuresfortheinitialrequirementaresimplythedocumentedprocesses
themselves.Measuresinthetablerowsprovideexamplesofevidencetoshow
documentationandimplementationofapplicableitemsinthedocumentedprocesses.
Thesemeasuresservetoprovideguidancetoentitiesinacceptablerecordsof
complianceandshouldnotbeviewedasanallinclusivelist.
Throughoutthestandards,unlessotherwisestated,bulleteditemsinthe
requirementsandmeasuresareitemsthatarelinkedwithanor,andnumbered
itemsareitemsthatarelinkedwithanand.
ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSand
UVLS.Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion
1oftheCIPCyberSecurityStandards.Thethresholdremainsat300MWsinceitis
specificallyaddressingUVLSandUFLS,whicharelastditcheffortstosavetheBulk
ElectricSystem.AreviewofUFLStolerancesdefinedwithinregionalreliability
standardsforUFLSprogramrequirementstodateindicatesthatthehistoricalvalueof
300MWrepresentsanadequateandreasonablethresholdvalueforallowableUFLS
operationaltolerances.
ApplicableSystemsColumnsinTables:
EachtablehasanApplicableSystemscolumntofurtherdefinethescopeofsystems
towhichaspecificrequirementrowapplies.TheCSO706SDTadaptedthisconcept
fromtheNationalInstituteofStandardsandTechnology(NIST)RiskManagement
CIP0111CyberSecurityInformationProtection
Page5of21
Frameworkasawayofapplyingrequirementsmoreappropriatelybasedonimpact
andconnectivitycharacteristics.Thefollowingconventionsareusedinthe
ApplicableSystemscolumnasdescribed.
HighImpactBESCyberSystemsAppliestoBESCyberSystemscategorizedas
highimpactaccordingtotheCIP0025identificationandcategorization
processes.
MediumImpactBESCyberSystemsAppliestoBESCyberSystemscategorized
asmediumimpactaccordingtotheCIP0025identificationandcategorization
processes.
ElectronicAccessControlorMonitoringSystems(EACMS)Appliestoeach
ElectronicAccessControlorMonitoringSystemassociatedwithareferenced
highimpactBESCyberSystemormediumimpactBESCyberSystem.Examples
mayinclude,butarenotlimitedto,firewalls,authenticationservers,andlog
monitoringandalertingsystems.
PhysicalAccessControlSystems(PACS)AppliestoeachPhysicalAccess
ControlSystemassociatedwithareferencedhighimpactBESCyberSystemor
mediumimpactBESCyberSystemwithExternalRoutableConnectivity.
ProtectedCyberAssets(PCA)AppliestoeachProtectedCyberAssetassociated
withareferencedhighimpactBESCyberSystemormediumimpactBESCyber
System
CIP0111CyberSecurityInformationProtection
Page6of21
B. Requirements and Measures
R1. EachResponsibleEntityshallimplement,inamannerthatidentifies,assesses,andcorrectsdeficiencies,oneormore
documentedinformationprotectionprogram(s)thatcollectivelyincludeseachoftheapplicablerequirementpartsinCIP
0111TableR1InformationProtection.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning].
M1.EvidencefortheinformationprotectionprogrammustincludetheapplicablerequirementpartsinCIP0111TableR1
InformationProtectionandadditionalevidencetodemonstrateimplementationasdescribedintheMeasurescolumnof
thetable.
CIP0111CyberSecurityInformationProtection
Page7of21
CIP0111TableR1InformationProtection
Part ApplicableSystems Requirements Measures
1.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;and
2. PACS
Method(s)toidentifyinformationthat
meetsthedefinitionofBESCyber
SystemInformation.
Examplesofacceptableevidence
include,butarenotlimitedto:
Documentedmethodtoidentify
BESCyberSystemInformation
fromentitysinformation
protectionprogram;or
Indicationsoninformation(e.g.,
labelsorclassification)thatidentify
BESCyberSystemInformationas
designatedintheentitys
informationprotectionprogram;or
Trainingmaterialsthatprovide
personnelwithsufficient
knowledgetorecognizeBESCyber
SystemInformation;or
Repositoryorelectronicand
physicallocationdesignatedfor
housingBESCyberSystem
Informationintheentitys
informationprotectionprogram.
CIP0111CyberSecurityInformationProtection
Page8of21
CIP0111TableR1InformationProtection
Part ApplicableSystems Requirement Measure
1.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;and
2. PACS
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;and
2. PACS
Procedure(s)forprotectingand
securelyhandlingBESCyberSystem
Information,includingstorage,transit,
anduse.
Examplesofacceptableevidence
include,butarenotlimitedto:
Proceduresforprotectingand
securelyhandling,whichinclude
topicssuchasstorage,security
duringtransit,anduseofBES
CyberSystemInformation;or
RecordsindicatingthatBESCyber
SystemInformationishandledina
mannerconsistentwiththeentitys
documentedprocedure(s).
CIP0111CyberSecurityInformationProtection
Page9of21
R2. EachResponsibleEntityshallimplementoneormoredocumentedprocessesthatcollectivelyincludetheapplicable
requirementpartsinCIP0111TableR2BESCyberAssetReuseandDisposal.[ViolationRiskFactor:Lower][TimeHorizon:
OperationsPlanning].
M2. Evidencemustincludeeachoftheapplicabledocumentedprocessesthatcollectivelyincludeeachoftheapplicable
requirementpartsinCIP0111TableR2BESCyberAssetReuseandDisposalandadditionalevidencetodemonstrate
implementationasdescribedintheMeasurescolumnofthetable.
CIP0111TableR2BESCyberAssetReuseandDisposal
Part ApplicableSystems Requirements Measures
2.1 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Priortothereleaseforreuseof
applicableCyberAssetsthatcontain
BESCyberSystemInformation
(exceptforreusewithinother
systemsidentifiedintheApplicable
Systemscolumn),theResponsible
Entityshalltakeactiontopreventthe
unauthorizedretrievalofBESCyber
SystemInformationfromtheCyber
Assetdatastoragemedia.
Examplesofacceptableevidence
include,butarenotlimitedto:
Recordstrackingsanitization
actionstakentoprevent
unauthorizedretrievalofBES
CyberSystemInformationsuchas
clearing,purging,ordestroying;
or
Recordstrackingactionssuchas
encrypting,retaininginthe
PhysicalSecurityPerimeteror
othermethodsusedtoprevent
unauthorizedretrievalofBES
CyberSystemInformation.
CIP0111CyberSecurityInformationProtection
Page10of21
CIP0111TableR2BESCyberAssetReuseandDisposal
Part ApplicableSystems Requirements Measures
2.2 HighImpactBESCyberSystemsand
theirassociated:
1. EACMS;
2. PACS;and
3. PCA
MediumImpactBESCyberSystems
andtheirassociated:
1. EACMS;
2. PACS;and
3. PCA
Priortothedisposalofapplicable
CyberAssetsthatcontainBESCyber
SystemInformation,theResponsible
Entityshalltakeactiontopreventthe
unauthorizedretrievalofBESCyber
SystemInformationfromtheCyber
Assetordestroythedatastorage
media.
Examplesofacceptableevidence
include,butarenotlimitedto:
Recordsthatindicatethatdata
storagemediawasdestroyed
priortothedisposalofan
applicableCyberAsset;or
Recordsofactionstakento
preventunauthorizedretrievalof
BESCyberSystemInformation
priortothedisposalofan
applicableCyberAsset.
CIP0111CyberSecurityInformationProtection
Page11of21
C. Compliance
1. ComplianceMonitoringProcess:
1.1. ComplianceEnforcementAuthority:
TheRegionalEntityshallserveastheComplianceEnforcementAuthority(CEA)unlessthe
applicableentityisowned,operated,orcontrolledbytheRegionalEntity.Insuchcasesthe
EROoraRegionalEntityapprovedbyFERCorotherapplicablegovernmentalauthorityshall
serveastheCEA.
1.2. EvidenceRetention:
Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityisrequiredto
retainspecificevidencetodemonstratecompliance.Forinstanceswheretheevidence
retentionperiodspecifiedbelowisshorterthanthetimesincethelastaudit,theCEAmayask
anentitytoprovideotherevidencetoshowthatitwascompliantforthefulltimeperiodsince
thelastaudit.
TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceasidentifiedbelow
unlessdirectedbyitsCEAtoretainspecificevidenceforalongerperiodoftimeaspartofan
investigation:
EachResponsibleEntityshallretainevidenceofeachrequirementinthisstandardforthree
calendaryears.
IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformationrelatedtothenon
complianceuntilmitigationiscompleteandapprovedorforthetimespecifiedabove,
whicheverislonger.
TheCEAshallkeepthelastauditrecordsandallrequestedandsubmittedsubsequentaudit
records.
1.3. ComplianceMonitoringandAssessmentProcesses:
ComplianceAudit
SelfCertification
SpotChecking
ComplianceInvestigation
SelfReporting
Complaint
1.4. AdditionalComplianceInformation:
None
CIP0111CyberSecurityInformationProtection
Page12of21
2.TableofComplianceElements
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0111)
LowerVSL ModerateVSL HighVSL SevereVSL
R1 Operations
Planning
Medium N/A
TheResponsibleEntity
hasimplementeda
BESCyberSystem
Information
protectionprogram
whichincludesoneor
moremethodsto
identifyBESCyber
SystemInformation
andhasidentified
deficienciesbutdid
notassessorcorrect
thedeficiencies.(1.1)
OR
TheResponsibleEntity
hasimplementeda
BESCyberSystem
Information
protectionprogram
whichincludesoneor
moremethodsto
identifyBESCyber
SystemInformation
butdidnotidentify,
assess,orcorrectthe
TheResponsible
Entityhasnot
documentedor
implementedaBES
CyberSystem
Information
protectionprogram
(R1).
CIP0111CyberSecurityInformationProtection
Page13of21
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0111)
LowerVSL ModerateVSL HighVSL SevereVSL
deficiencies.(1.1)
OR
TheResponsibleEntity
hasimplementeda
BESCyberSystem
Information
protectionprogram
whichincludesoneor
moreproceduresfor
protectionandsecure
handlingBESCyber
SystemInformation
andhasidentified
deficienciesbutdid
notassessorcorrect
thedeficiencies.(1.2)
OR
TheResponsibleEntity
hasimplementeda
BESCyberSystem
Information
protectionprogram
whichincludesoneor
moreproceduresfor
protectionandsecure
handlingBESCyber
SystemInformation
butdidnotidentify,
CIP0111CyberSecurityInformationProtection
Page14of21
R# Time
Horizon
VRF ViolationSeverityLevels(CIP0111)
LowerVSL ModerateVSL HighVSL SevereVSL
assess,orcorrectthe
deficiencies.(1.2)
R2 Operations
Planning
Lower N/A TheResponsibleEntity
implementedoneormore
documentedprocessesbut
didnotincludeprocesses
forreuseastopreventthe
unauthorizedretrievalof
BESCyberSystem
InformationfromtheBES
CyberAsset.(2.1)
TheResponsibleEntity
implementedoneor
moredocumented
processesbutdidnot
includedisposalor
mediadestruction
processestoprevent
theunauthorized
retrievalofBESCyber
SystemInformation
fromtheBESCyber
Asset.(2.2)
TheResponsible
Entityhasnot
documentedor
implementedany
processesfor
applicable
requirementparts
inCIP0111Table
R2BESCyber
AssetReuseand
Disposal.(R2)
GuidelinesandTechnicalBasis
Page15of21
D. Regional Variances
None.
E. Interpretations
None.
F. Associated Documents
None.
GuidelinesandTechnicalBasis
Page16of21
Guidelines and Technical Basis
Section4ScopeofApplicabilityoftheCIPCyberSecurityStandards
Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsible
EntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.
Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandard
applies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,
thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection
4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatown
certaintypesofsystemsandequipmentlistedin4.2.Furthermore,
Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedby
theResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthe
standard.Asspecifiedintheexemptionsection4.2.3.5,thisstandarddoesnotapplyto
ResponsibleEntitiesthatdonothaveHighImpactorMediumImpactBESCyberSystemsunder
CIP0025scategorization.InadditiontothesetofBESFacilities,ControlCenters,andother
systemsandequipment,thelistincludesthesetofsystemsandequipmentownedby
DistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBES
characteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeof
applicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.
ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothe
standards.
RequirementR1:
ResponsibleEntitiesarefreetoutilizeexistingchangemanagementandassetmanagement
systems.However,theinformationcontainedwithinthosesystemsmustbeevaluated,asthe
informationprotectionrequirementsstillapply.
ThejustificationforthisrequirementispreexistingfrompreviousversionsofCIPandisalso
documentedinFERCOrderNo.706anditsassociatedNoticeofProposedRulemaking.
ThisrequirementmandatesthatBESCyberSystemInformationbeidentified.TheResponsible
Entityhasflexibilityindetermininghowtoimplementtherequirement.TheResponsibleEntity
shouldexplainthemethodforidentifyingtheBESCyberSystemInformationintheir
informationprotectionprogram.Forexample,theResponsibleEntitymaydecidetomarkor
labelthedocuments.IdentifyingseparateclassificationsofBESCyberSystemInformationis
notspecificallyrequired.However,aResponsibleEntitymaintainstheflexibilitytodosoifthey
desire.AslongastheResponsibleEntitysinformationprotectionprogramincludesall
applicableitems,additionalclassificationlevels(e.g.,confidential,public,internaluseonly,etc.)
canbecreatedthatgoaboveandbeyondtherequirements.Iftheentitychoosestouse
classifications,thenthetypesofclassificationsusedbytheentityandanyassociatedlabeling
shouldbedocumentedintheentitysBESCyberSystemInformationProgram.
GuidelinesandTechnicalBasis
Page17of21
TheResponsibleEntitymaystorealloftheinformationaboutBESCyberSystemsinaseparate
repositoryorlocation(physicaland/orelectronic)withaccesscontrolimplemented.For
example,theResponsibleEntitysprogramcoulddocumentthatallinformationstoredinan
identifiedrepositoryisconsideredBESCyberSystemInformation,theprogrammaystatethat
allinformationcontainedinanidentifiedsectionofaspecificrepositoryisconsideredBES
CyberSystemInformation,ortheprogrammaydocumentthatallhardcopiesofinformation
arestoredinasecuredareaofthebuilding.Additionalmethodsforimplementingthe
requirementaresuggestedinthemeasuressection.However,themethodslistedinmeasures
arenotmeanttobeanexhaustivelistofmethodsthattheentitymaychoosetoutilizeforthe
identificationofBESCyberSystemInformation.
TheSDTdoesnotintendthatthisrequirementcoverpubliclyavailableinformation,suchas
vendormanualsthatareavailableviapublicwebsitesorinformationthatisdeemedtobe
publiclyreleasable.
Informationprotectionpertainstobothdigitalandhardcopyinformation.R1.2requiresoneor
moreproceduresfortheprotectionandsecurehandlingBESCyberSystemInformation,
includingstorage,transit,anduse.
TheentityswrittenInformationProtectionProgramshouldexplainhowtheentityhandles
aspectsofinformationprotectionincludingspecifyinghowBESCyberSystemInformationisto
besecurelyhandledduringtransitinordertoprotectagainstunauthorizedaccess,misuse,or
corruptionandtoprotectconfidentialityofthecommunicatedBESCyberSystemInformation.
Forexample,theuseofathirdpartycommunicationserviceproviderinsteadoforganization
ownedinfrastructuremaywarranttheuseofencryptiontopreventunauthorizeddisclosureof
informationduringtransmission.Theentitymaychoosetoestablishatrustedcommunications
pathfortransitofBESCyberSystemInformation.Thetrustedcommunicationspathwould
utilizealogonorothersecuritymeasurestoprovidesecurehandlingduringtransit.Theentity
mayemployalternativephysicalprotectivemeasures,suchastheuseofacourierorlocked
containerfortransmissionofinformation.Itisnottheintentofthisstandardtomandatethe
useofoneparticularformatforsecurehandlingduringtransit.
AgoodInformationProtectionProgramwilldocumentthecircumstancesunderwhichBES
CyberSystemInformationcanbesharedwithorusedbythirdparties.Theorganizationshould
distributeorshareinformationonaneedtoknowbasis.Forexample,theentitymayspecify
thataconfidentialityagreement,nondisclosurearrangement,contract,orwrittenagreement
ofsomekindconcerningthehandlingofinformationmustbeinplacebetweentheentityand
thethirdparty.TheentitysInformationProtectionProgramshouldspecifycircumstancesfor
sharingofBESCyberSystemInformationwithandusebythirdparties,forexample,useofa
nondisclosureagreement.Theentityshouldthenfollowtheirdocumentedprogram.These
requirementsdonotmandateonespecifictypeofarrangement.
RequirementR2:
ThisrequirementallowsforBESCyberSystemstoberemovedfromserviceandanalyzedwith
theirmediaintact,asthatshouldnotconstituteareleaseforreuse.However,followingthe
GuidelinesandTechnicalBasis
Page18of21
analysis,ifthemediaistobereusedoutsideofaBESCyberSystemordisposedof,theentity
musttakeactiontopreventtheunauthorizedretrievalofBESCyberSystemInformationfrom
themedia.
ThejustificationforthisrequirementispreexistingfrompreviousversionsofCIPandisalso
documentedinFERCOrderNo.706anditsassociatedNoticeofProposedRulemaking.
IfanapplicableCyberAssetisremovedfromthePhysicalSecurityPerimeterpriortoaction
takentopreventtheunauthorizedretrievalofBESCyberSystemInformationordestroyingthe
datastoragemedia,theresponsibleentityshouldmaintaindocumentationthatidentifiesthe
custodianforthedatastoragemediawhilethedatastoragemediaisoutsideofthePhysical
SecurityPerimeterpriortoactionstakenbytheentityasrequiredinR2.
Mediasanitizationistheprocessusedtoremoveinformationfromsystemmediasuchthat
reasonableassuranceexiststhattheinformationcannotberetrievedorreconstructed.Media
sanitizationisgenerallyclassifiedintofourcategories:Disposal,clearing,purging,and
destroying.Forthepurposesofthisrequirement,disposalbyitself,withtheexceptionof
certainspecialcircumstances,suchastheuseofstrongencryptiononadriveusedinaSANor
othermedia,shouldneverbeconsideredacceptable.Theuseofclearingtechniquesmay
provideasuitablemethodofsanitizationformediathatistobereused,whereaspurging
techniquesmaybemoreappropriateformediathatisreadyfordisposal.
ThefollowinginformationfromNISTSP80088providesadditionalguidanceconcerningthe
typesofactionsthatanentitymighttaketopreventtheunauthorizedretrievalofBESCyber
SystemInformationfromtheCyberAssetdatastoragemedia:
Clear:Onemethodtosanitizemediaistousesoftwareorhardwareproductsto
overwritestoragespaceonthemediawithnonsensitivedata.Thisprocessmayinclude
overwritingnotonlythelogicalstoragelocationofafile(s)(e.g.,fileallocationtable)but
alsomayincludealladdressablelocations.Thesecuritygoaloftheoverwritingprocess
istoreplacewrittendatawithrandomdata.Overwritingcannotbeusedformediathat
aredamagedornotrewriteable.Themediatypeandsizemayalsoinfluencewhether
overwritingisasuitablesanitizationmethod[SP80036].
Purge:DegaussingandexecutingthefirmwareSecureErasecommand(forATAdrives
only)areacceptablemethodsforpurging.Degaussingisexposingthemagneticmediato
astrongmagneticfieldinordertodisrupttherecordedmagneticdomains.Adegausser
isadevicethatgeneratesamagneticfieldusedtosanitizemagneticmedia.Degaussers
areratedbasedonthetype(i.e.,lowenergyorhighenergy)ofmagneticmediatheycan
purge.Degaussersoperateusingeitherastrongpermanentmagnetoran
electromagneticcoil.Degaussingcanbeaneffectivemethodforpurgingdamagedor
inoperativemedia,forpurgingmediawithexceptionallylargestoragecapacities,orfor
quicklypurgingdiskettes.[SP80036]ExecutingthefirmwareSecureErasecommand
(forATAdrivesonly)anddegaussingareexamplesofacceptablemethodsforpurging.
GuidelinesandTechnicalBasis
Page19of21
Degaussingofanyharddriveassemblyusuallydestroysthedriveasthefirmwarethat
managesthedeviceisalsodestroyed.
Destroy:Therearemanydifferenttypes,techniques,andproceduresformedia
destruction.Disintegration,Pulverization,Melting,andIncinerationaresanitization
methodsdesignedtocompletelydestroythemedia.Theyaretypicallycarriedoutatan
outsourcedmetaldestructionorlicensedincinerationfacilitywiththespecific
capabilitiestoperformtheseactivitieseffectively,securely,andsafely.Opticalmass
storagemedia,includingcompactdisks(CD,CDRW,CDR,CDROM),opticaldisks
(DVD),andMOdisks,mustbedestroyedbypulverizing,crosscutshreddingorburning.
Insomecasessuchasnetworkingequipment,itmaybenecessarytocontactthe
manufacturerforpropersanitizationprocedure.
Itiscriticalthatanorganizationmaintainarecordofitssanitizationactionstoprevent
unauthorizedretrievalofBESCyberSystemInformation.Entitiesarestronglyencouragedto
reviewNISTSP80088forguidanceonhowtodevelopacceptablemediasanitizationprocesses.
Rationale:
Duringthedevelopmentofthisstandard,referencestopriorversionsoftheCIPstandardsand
rationalefortherequirementsandtheirpartswereembeddedwithinthestandard.UponBOT
approval,thatinformationwasmovedtothissection.
RationaleforR1:
TheSDTsintentoftheinformationprotectionprogramistopreventunauthorizedaccessto
BESCyberSystemInformation.
SummaryofChanges:CIP0034R4,R4.2,andR4.3havebeenmovedtoCIP011R1.CIP0034,
RequirementR4.1wasmovedtothedefinitionofBESCyberSystemInformation.
Referencetopriorversion:(Part1.1)CIP0033,R4;CIP0033,R4.2
ChangeRationale:(Part1.1)
TheSDTremovedtheexplicitrequirementforclassificationastherewasnorequirementtohave
multiplelevelsofprotection(e.g.,confidential,public,internaluseonly,etc.)Thismodification
doesnotpreventhavingmultiplelevelsofclassification,allowingmoreflexibilityforentitiesto
incorporatetheCIPinformationprotectionprogramintotheirnormalbusiness.
Referencetopriorversion:(Part1.2)CIP0033,R4
ChangeRationale:(Part1.2)
TheSDTchangedthelanguagefromprotectinformationtoProceduresforprotectingand
securelyhandlingtoclarifytheprotectionthatisrequired.
GuidelinesandTechnicalBasis
Page20of21
RationaleforR2:
TheintentoftheBESCyberAssetreuseanddisposalprocessistopreventtheunauthorized
disseminationofBESCyberSystemInformationuponreuseordisposal.
Referencetopriorversion:(Part2.1)CIP0073,R7.2
ChangeRationale:(Part2.1)
ConsistentwithFERCOrderNo.706,Paragraph631,theSDTclarifiedthatthegoalwasto
preventtheunauthorizedretrievalofinformationfromthemedia,removingtheworderase
since,dependingonthemediaitself,erasuremaynotbesufficienttomeetthisgoal.
Referencetopriorversion:(Part2.2)CIP0073,R7.1
ChangeRationale:(Part2.2)
ConsistentwithFERCOrderNo.706,Paragraph631,theSDTclarifiedthatthegoalwasto
preventtheunauthorizedretrievalofinformationfromthemedia,removingtheworderase
since,dependingonthemediaitself,erasuremaynotbesufficienttomeetthisgoal.
TheSDTalsoremovedtherequirementexplicitlyrequiringrecordsofdestruction/redeployment
asthiswasseenasdemonstrationoftheexistingrequirementandnotarequirementinandof
itself.
GuidelinesandTechnicalBasis
Page21of21
Version History
Version Date Action ChangeTracking
1 11/26/12 AdoptedbytheNERCBoardof
Trustees.
Developedto
definethe
information
protection
requirementsin
coordinationwith
otherCIP
standardsandto
addressthe
balanceofthe
FERCdirectivesin
itsOrder706.
A. Introduction
B. Requirements
R1. Each Reliability Coordinator shall approve or deny a request within five minutes of
receiving the request for unscheduled flow transmission relief from the Transmission
Operator of a Qualified Transfer Path that will result in the calculation of a Relief
Requirement. [Violation Risk Factor: Medium] [Time Horizon: Real-time Operations]
R2. Each Balancing Authority shall perform any combination of the following actions meeting
the Relief Requirement upon receiving a request for relief as described in Requirement
R1: [Violation Risk Factor: Medium] [Time Horizon: Real-time Operations]
Approve curtailment requests to the schedules as submitted
Implement alternative actions
C. Measures
M1. The Reliability Coordinator shall have evidence that it approved or denied the request
within five minutes of receiving a request for relief, in accordance with Requirement R1.
Evidence may include, but is not limited to, documentation of either an active or passive
approval.
M1.1.1 Each Balancing Authority shall have evidence that it provided the Relief
Requirement through Contributing Schedules curtailments, alternative actions, or a
combination that collectively meets the Relief Requirement as directed in
Requirement R.2.
WECC Standard IRO-006-WECC-2 Qualified Transfer Path Unscheduled Flow (USF) Relief
2
D. Compliance
1. Compliance Monitoring Process:
1.1. Compliance Enforcement Authority
Regional Entity
If the Responsible Entity works for the Regional Entity, then the Regional
Entity will establish an agreement with the ERO or another entity approved by
the ERO and FERC (i.e., another Regional Entity) to be responsible for
compliance enforcement.
If the Responsible Entity is also a Regional Entity, the ERO or a Regional
Entity approved by the ERO and FERC or other applicable governmental
authorities shall serve as the Compliance Enforcement Authority.
1.2. Evidence Retention:
The following evidence retention periods identify the period of time an entity is
required to retain specific evidence to demonstrate compliance. For instances
where the evidence retention period specified below is shorter than the time since
the last audit, the Compliance Enforcement Authority may ask an entity to provide
other evidence to show that it was complaint for the full time period since the last
audit.
Each Balancing Authority and Reliability Coordinator shall keep data or
evidence to show compliance as identified below unless directed by its
Compliance Enforcement Authority to retain specific evidence for a longer
period of time as part of an investigation.
The Balancing Authority and Reliability Coordinator shall retain data or
evidence for three calendar years or for the duration of any Compliance
Enforcement Authority investigation; whichever is longer.
If a Balancing Authority or Reliability Coordinator is found non-compliant, it
shall keep information related to the non-compliance until found compliant or
for the duration specified above, whichever is longer.
The Compliance Enforcement Authority shall keep the last audit records and all
requested and submitted subsequent audit records.
1.3. Compliance Monitoring and Assessment Processes:
Compliance Audit
Self-Certification
Spot Checking
Compliance Investigation
Self-Reporting
Complaint
WECC Standard IRO-006-WECC-2 Qualified Transfer Path Unscheduled Flow (USF) Relief
3
contingencies14,towhatextentdoesthedescriptioninTable1,footnote(e)
8
requireanentityto
modelasinglepointoffailureofaprotectionsystemcomponentthatmaypreventcorrectoperationof
aprotectionsystem,includingotherprotectionsystemsimpactedbythatfailedcomponentbasedon
theasbuiltdesignofthatprotectionsystem?
Thereisalackofclaritywhetherfootnote(e)inTable1requiresthestudyand/orsimulationofafailure
ofaprotectionsystemcomponent(i.e.,singlepointoffailure)thatmaypreventcorrectoperationof
theprotectionsystem(s)impactedbythecomponentfailure.Protectionsystemsthatsharea
protectionsystemcomponentarefullydependentuponthecorrectoperationofthatsingleshared
componentanddonotperformastwoindependentprotectionsystems.Thislackofclaritymayresult
inapotentialreliabilitygap.
Clarityisnecessaryastowhether(1)avalidassessmentshouldincludeevaluationofdelayedclearing
duetofailureoftheprotectionsystemcomponent(i.e.,singlepointoffailure),suchasthefailureofa
sharedprotectionsystemcomponent,thatproducesthemoreseveresystemresultsorimpacts;and(2)
thestudyand/orsimulationofthefaultclearingsequenceandprotectionsystem(s)operationshould
bebasedontheprotectionsystem(s)asbuiltdesign.
ThelackofclarityiscompoundedbythesimilaritybetweenthephraseDelayedClearingusedinTPL
0030aandTPL0040,footnote(e),andtheNERCglossarytermDelayedFaultClearing.WhileTPL
0030aandTPL0040donotusetheglossaryterm,thesimilaritymayleadtoconfusionand
inconsistencyinhowentitiesapplyfootnote(e)tostuckbreakerorprotectionsystemfailure
contingencyassessments.
Question 1
Fortheparenthetical(stuckbreakerorprotectionsystemfailure)inTPL0030a(CategoryC
contingencies69)andTPL0040(CategoryDcontingencies14),doesanentityhavetheoptionof
evaluatingtheeffects
9
ofeitherstuckbreakerorprotectionsystemfailurecontingency
10
,ordoes
anapplicableentityhavetoevaluatethecontingencythatproducesthemoreseveresystemresultsor
impactsasidentifiedinR1.3.1ofbothstandards?
Response 1
5
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
6
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.
7
AsrequiredbyNERCReliabilityStandardTPL0040,RequirementR1.4.
8
Footnote(e)DelayedClearing:failureofanyprotectionsystemcomponentsuchasarelay,circuitbreaker,or
currenttransformer,andnotbecauseofanintentionaldesigndelay,
9
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.3.10.and/orTPL0040,Requirement
R1.3.7.
10
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
Standard TPL-003-2b System Performance Following Loss of Two or More BES
Elements
Page 15 of 16
TheinterpretationdraftingteamconcludesthatthePlanningAuthorityandTransmissionPlannermust
evaluatethesituationthatproducesthemoreseveresystemresultsorimpacts(i.e.,TPL0030a,R1.3.1
andTPL0040,R1.3.1)duetoadelayedclearingconditionregardlessofwhethertheconditionresulted
fromastuckbreakerorprotectionsystemfailure.TheReliabilityStandardsTPL0030a(TableI,
CategoryCcontingencies69)andTPL0040(TableI,CategoryDcontingencies14)involvean
assessmentoftheeffectsofeitherastuckbreakeroraprotectionsystemfailure.Thesingleline
ground(SLG)(TPL0030a,TableI,CategoryC)Faultand3phase(3)(TPL0040,TableI,CategoryD)
Faultcontingencieswithdelayedclearingarefurtherdefinedbyfootnote(e)andtheparenthetical
phrase(stuckbreakerorprotectionsystemfailure).Footnote(e)explainsthatDelayedclearingofa
Faultisduetofailureofanyprotectionsystemcomponentsuchasarelay,circuitbreaker,orcurrent
transformer,andnotbecauseofanintentionaldesigndelay.Theparentheticalfurtheremphasizes
thatthefailuremaybeastuckbreakerorprotectionsystemfailurethatcausesthedelayedclearing
ofthefault.ThetextinTable1ineitherstandardexplainsthatwhenselectingdelayedclearing
contingenciestoevaluate,bothconditions(stuckbreakerorprotectionsystemfailure)mustbe
considered.
Question 2
ForthephraseDelayedClearing
11
usedinCategoryC
12
contingencies69andCategoryD
13
contingencies14,towhatextentdoesthedescriptioninTable1,footnote(e)
14
requireanentityto
modelasinglepointoffailureofaprotectionsystemcomponentthatmaypreventcorrectoperationof
aprotectionsystem,includingotherprotectionsystemsimpactedbythatfailedcomponentbasedon
theasbuiltdesignofthatprotectionsystem?
Response 2
ThetermDelayedClearingthatisdescribedinTableI,footnote(e)referstofaultclearingthatresults
fromafailuretoachievetheprotectionsystemsnormallyexpectedclearingtime.ForCategoryCorD
contingencies,eachPlanningAuthorityandTransmissionPlannerispermittedengineeringjudgmentin
itsselectionoftheprotectionsystemcomponentfailuresforevaluationthatwouldproducethemore
severesystemresultsorimpact(i.e.,TPL0030a,R1.3.1andTPL0040,R1.3.1).Theevaluationwould
includeaddressingallprotectionsystemsaffectedbytheselectedcomponent.
Aprotectionsystemcomponentfailurethatimpactsoneormoreprotectionsystemsandincreasesthe
totalfaultclearingtimerequiresthePlanningAuthorityandTransmissionPlannertosimulatethefull
impact(clearingtimeandfacilitiesremoved)ontheBulkElectricSystemperformance.
Theinterpretationdraftingteambasesthisconclusiononthefootnote(e)exampleanyprotection
11
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
12
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.
13
AsrequiredbyNERCReliabilityStandardTPL0040,RequirementR1.4.
14
Footnote(e)DelayedClearing:failureofanyprotectionsystemcomponentsuchasarelay,circuitbreaker,or
currenttransformer,andnotbecauseofanintentionaldesigndelay,
Standard TPL-003-2b System Performance Following Loss of Two or More BES
Elements
Page 16 of 16
systemcomponentsuchas,relay,circuitbreaker,orcurrenttransformer...becausethecomponent
circuitbreakerisnotaddressedinthecurrentorpreviouslydefinedNERCglossaryterm.The
interpretationdraftingteaminitiallybelievedthelowercaseusageofprotectionsysteminferredthe
NERCglossarytermandthecomponentsdescribedtherein;however,basedontheinterpretation
draftingteamsfurtherassessmentoffootnote(e),itconcludesthattheexistingTPLstandards(TPL
0030aandTPL0040)donotimplicitlyusetheNERCglossaryterm.Withoutanexplicitreferenceto
theNERCglossaryterm,ProtectionSystem,thetwostandardsdonotprescribethespecific
protectionsystemcomponentsthatmustbeaddressedbythePlanningAuthorityandTransmission
PlannerinperformingthestudiesrequiredinTPL0030aandTPL0040.
Standard TPL-004-0a System Performance Following Extreme BES Events
1 of 10
A. Introduction
1. Title: System Performance Following Extreme Events Resulting in the Loss of Two or
More Bulk Electric System Elements (Category D)
2. Number: TPL-004-0a
3. Purpose: System simulations and associated assessments are needed periodically to ensure that
reliable systems are developed that meet specified performance requirements, with sufficient
lead time and continue to be modified or upgraded as necessary to meet present and future
System needs.
4. Applicability:
4.1. Planning Authority
4.2. Transmission Planner
5. Effective Date: April 1, 2005
B. Requirements
R1. The Planning Authority and Transmission Planner shall each demonstrate through a valid
assessment that its portion of the interconnected transmission system is evaluated for the risks
and consequences of a number of each of the extreme contingencies that are listed under
Category D of Table I. To be valid, the Planning Authoritys and Transmission Planners
assessment shall:
R1.1. Be made annually.
R1.2. Be conducted for near-term (years one through five).
R1.3. Be supported by a current or past study and/or system simulation testing that
addresses each of the following categories, showing system performance following
Category D contingencies of Table I. The specific elements selected (from within
each of the following categories) for inclusion in these studies and simulations shall
be acceptable to the associated Regional Reliability Organization(s).
R1.3.1. Be performed and evaluated only for those Category D contingencies that would
produce the more severe system results or impacts. The rationale for the
contingencies selected for evaluation shall be available as supporting
information. An explanation of why the remaining simulations would produce
less severe system results shall be available as supporting information.
R1.3.2. Cover critical system conditions and study years as deemed appropriate by the
responsible entity.
R1.3.3. Be conducted annually unless changes to system conditions do not warrant
such analyses.
R1.3.4. Have all projected firm transfers modeled.
R1.3.5. Include existing and planned facilities.
R1.3.6. Include Reactive Power resources to ensure that adequate reactive resources
are available to meet system performance.
R1.3.7. Include the effects of existing and planned protection systems, including any
backup or redundant systems.
R1.3.8. Include the effects of existing and planned control devices.
Standard TPL-004-0a System Performance Following Extreme BES Events
2 of 10
R1.3.9. Include the planned (including maintenance) outage of any bulk electric
equipment (including protection systems or their components) at those demand
levels for which planned (including maintenance) outages are performed.
R1.4. Consider all contingencies applicable to Category D.
R2. The Planning Authority and Transmission Planner shall each document the results of its
reliability assessments and shall annually provide the results to its entities respective NERC
Regional Reliability Organization(s), as required by the Regional Reliability Organization.
C. Measures
M1. The Planning Authority and Transmission Planner shall have a valid assessment for its system
responses as specified in Reliability Standard TPL-004-0_R1.
M2. The Planning Authority and Transmission Planner shall provide evidence to its Compliance
Monitor that it reported documentation of results of its reliability assessments per Reliability
Standard TPL-004-0_R1.
D. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Compliance Monitor: Regional Reliability Organization.
Each Compliance Monitor shall report compliance and violations to NERC via the
NERC Compliance Reporting Process.
1.2. Compliance Monitoring Period and Reset Timeframe
Annually.
1.3. Data Retention
None specified.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance
2.1. Level 1: A valid assessment, as defined above, for the near-term planning horizon
is not available.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: Not applicable.
E. Regional Differences
1. None identified.
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
0a February 7, 2013 Interpretation adopted by NERC Board of
Trustees
Standard TPL-004-0a System Performance Following Extreme BES Events
3 of 10
0a June 20, 2013 Interpretation approved in FERC order
Standard TPL-004-0a System Performance Following Extreme BES Events
4 of 10
Table I. Transmission System Standards Normal and Emergency Conditions
Category
Contingencies System Limits or Impacts
Initiating Event(s) and Contingency
Element(s)
System Stable
and both
Thermal and
Voltage
Limits within
Applicable
Rating
a
Loss of Demand
or
Curtailed Firm
Transfers
Cascading
Outages
A
No Contingencies
All Facilities in Service
Yes
No
No
B
Event resulting in
the loss of a single
element.
Single Line Ground (SLG) or 3-Phase (3) Fault,
with Normal Clearing:
1. Generator
2. Transmission Circuit
3. Transformer
Loss of an Element without a Fault.
Yes
Yes
Yes
Yes
No
b
No
b
No
b
No
b
No
No
No
No
Single Pole Block, Normal Clearing
e
:
4. Single Pole (dc) Line
Yes
No
b
No
C
Event(s) resulting in
the loss of two or
more (multiple)
elements.
SLG Fault, with Normal Clearing
e
:
1. Bus Section
2. Breaker (failure or internal Fault)
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
No
No
SLG or 3 Fault, with Normal Clearing
e
, Manual
System Adjustments, followed by another SLG or
3 Fault, with Normal Clearing
e
:
3. Category B (B1, B2, B3, or B4)
contingency, manual system adjustments,
followed by another Category B (B1, B2,
B3, or B4) contingency
Yes
Planned/
Controlled
c
No
Bipolar Block, with Normal Clearing
e
:
4. Bipolar (dc) Line Fault (non 3), with
Normal Clearing
e
:
5. Any two circuits of a multiple circuit
towerline
f
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
No
No
SLG Fault, with Delayed Clearing
e
(stuck breaker
or protection system failure):
6. Generator
7. Transformer
8. Transmission Circuit
9. Bus Section
Yes
Yes
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
Planned/
Controlled
c
Planned/
Controlled
c
No
No
No
No
Standard TPL-004-0a System Performance Following Extreme BES Events
5 of 10
D
d
Extreme event resulting in
two or more (multiple)
elements removed or
Cascading out of service
3 Fault, with Delayed Clearing
e
(stuck breaker or protection system
failure):
1. Generator 3. Transformer
2. Transmission Circuit 4. Bus Section
3 Fault, with Normal Clearing
e
:
5. Breaker (failure or internal Fault)
6. Loss of towerline with three or more circuits
7. All transmission lines on a common right-of way
8. Loss of a substation (one voltage level plus transformers)
9. Loss of a switching station (one voltage level plus transformers)
10. Loss of all generating units at a station
11. Loss of a large Load or major Load center
12. Failure of a fully redundant Special Protection System (or
remedial action scheme) to operate when required
13. Operation, partial operation, or misoperation of a fully redundant
Special Protection System (or Remedial Action Scheme) in
response to an event or abnormal system condition for which it
was not intended to operate
14. Impact of severe power swings or oscillations from Disturbances
in another Regional Reliability Organization.
Evaluate for risks and
consequences.
May involve substantial loss of
customer Demand and
generation in a widespread
area or areas.
Portions or all of the
interconnected systems may
or may not achieve a new,
stable operating point.
Evaluation of these events may
require joint studies with
neighboring systems.
a) Applicable rating refers to the applicable Normal and Emergency facility thermal Rating or System Voltage Limit as
determined and consistently applied by the system or facility owner. Applicable Ratings may include Emergency Ratings
applicable for short durations as required to permit operating steps necessary to maintain system control. All Ratings
must be established consistent with applicable NERC Reliability Standards addressing Facility Ratings.
b) Planned or controlled interruption of electric supply to radial customers or some local network customers, connected to or
supplied by the Faulted element or by the affected area, may occur in certain areas without impacting the overall
reliability of the interconnected transmission systems. To prepare for the next contingency, system adjustments are
permitted, including curtailments of contracted Firm (non-recallable reserved) electric power Transfers.
c) Depending on system design and expected system impacts, the controlled interruption of electric supply to customers
(load shedding), the planned removal from service of certain generators, and/or the curtailment of contracted Firm (non-
recallable reserved) electric power Transfers may be necessary to maintain the overall reliability of the interconnected
transmission systems.
d) A number of extreme contingencies that are listed under Category D and judged to be critical by the transmission
planning entity(ies) will be selected for evaluation. It is not expected that all possible facility outages under each listed
contingency of Category D will be evaluated.
e) Normal clearing is when the protection system operates as designed and the Fault is cleared in the time normally expected
with proper functioning of the installed protection systems. Delayed clearing of a Fault is due to failure of any protection
system component such as a relay, circuit breaker, or current transformer, and not because of an intentional design delay.
f) System assessments may exclude these events where multiple circuit towers are used over short distances (e.g., station
entrance, river crossings) in accordance with Regional exemption criteria.
Standard TPL-004-0a System Performance Following Extreme BES Events
6 of 10
Appendix 1
Interpretation 2012-INT-02: Response to Request for Interpretation of TPL-003-0a,
Requirements R1.3.1, R1.3.10 and R1.5 and TPL-004-0, Requirements R1.3.1, R1.3.7 and R1.4
for the System Protection and Control Subcommittee
Date submitted: December 12, 2011
The following interpretations of TPL-003-0a, System Performance Following Loss of Two or More Bulk
Electric System Elements (Category C), Requirements R1.3.1, R1.3.10 and R1.5 and TPL-004-0, System
Performance Following Extreme Events Resulting in the Loss of Two or More Bulk Electric System
Elements (Category D), Requirements R1.3.1, R1.37 and R1.4 were developed by members of the Assess
Transmission Future Needs Standard Drafting Team (ATFNSTD), Protection System Misoperations
Standard Development Team (PSMSDT), and Protection System Maintenance and Testing Standard
Drafting Team (PSMTSDT).
Standard Requirement (and text)
TPL-003-0a R1.3.1 Be performed and evaluated only for those Category C contingencies that
would produce the more severe system results or impacts. The rationale for the
contingencies selected for evaluation shall be available as supporting information.
An explanation of why the remaining simulations would produce less severe system
results shall be available as supporting information.
TPL-003-0a R1.3.10. Include the effects of existing and planned protection systems, including
any backup or redundant systems.
TPL-003-0a R1.5. Consider all contingencies applicable to Category C.
TPL-004-0 R1.3.1. Be performed and evaluated only for those Category D contingencies that
would produce the more severe system results or impacts. The rationale for the
contingencies selected for evaluation shall be available as supporting information.
An explanation of why the remaining simulations would produce less severe system
results shall be available as supporting information.
TPL-004-0 R1.3.7. Include the effects of existing and planned protection systems, including any
backup or redundant systems.
TPL-004-0 R1.4. Consider all contingencies applicable to Category D.
Please explain the clarification needed (as submitted).
This interpretation request has been developed to address Commission concerns related to the term
Single Point of Failure and how it relates to system performance and contingency planning
clarification regarding the following questions about the listed standards, requirements and terms.
Standard TPL-004-0a System Performance Following Extreme BES Events
7 of 10
More specifically, clarification is needed about the comprehensive study of system performance
relating to Table 1s, Category C and D contingency of a protection system failure and specifically the
impact of failed components (i.e., Single Point of Failure). It is not entirely clear whether a valid
assessment of a protection system failure includes evaluation of shared or non-redundant protection
system components. Protection systems that have a shared protection system component are not two
independent protection systems, because both protection systems will be mutually impacted for a
failure of a single shared component. A protection system component evaluation would include the
evaluation of the consequences on system performance for the failure of any protection system
component that is integral to the operation of the protection system being evaluated and to the
operation of another protection system.
On March 30, 2009, NERC issued an Industry Advisory Protection System Single Point of Failure
1
Question 1: For the parenthetical (stuck breaker or protection system failure) in TPL-003-0a (Category
C contingencies 6-9) and TPL-004-0 (Category D contingencies 1-4), does an entity have the option of
evaluating the effects
(i.e.,
NERC Alert) for three significant events. One of which, the Westwing outage (June 14, 2004) was
caused by failure of a single auxiliary relay that initiated both breaker tripping and the breaker failure
protection. Since breaker tripping and breaker failure protection both shared the same auxiliary relay,
there was no independence between breaker tripping and breaker failure protection systems, therefore
causing both protection systems to not operate for the single component failure of the auxiliary relay.
The failure of this auxiliary relay is known as a single point of failure. It is not clear whether this
situation is comprehensively addressed by the applicable entities when making a valid assessment of
system performance for both Category C and D contingencies.
2
of either stuck breaker or protection system failure contingency
3
There is a lack of clarity whether R1.3.1
, or does an
applicable entity have to evaluate the contingency that produces the more severe system results or
impacts as identified in R1.3.1 of both standards?
4
Question 2: For the phrase Delayed Clearing
requires an entity to assess which contingency causes the most
severe system results or impacts (R1.3.1) and this ambiguity could result in a potential reliability gap.
Whether the simulation of a stuck breaker or protection system failure will produce the worst result
depends on the protection system design. For example when a protection system is fully redundant, a
protection system failure will not affect fault clearing; therefore, a stuck breaker would result in more
severe system results or impacts. However, when a protection system failure affects fault clearing, the
fault clearing time may be longer than the breaker failure protection clearing time for a stuck breaker
contingency and may result in tripping of additional system elements, resulting in a more severe system
response.
5
used in Category C
6
contingencies 6-9 and Category D
7
contingencies 1-4, to what extent does the description in Table 1, footnote (e)
8
1
NERC Website: (
require an entity to
http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2009-03-30-01.pdf)
2
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.3.10. and/or TPL-004-0, Requirement
R1.3.7.
3
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.5. and/or TPL-004-0, Requirement R1.4.
4
Be performed and evaluated only for those Category (TPL-003-0a Category C and TPL-004-0 Category D)
contingencies that would produce the more severe system results or impacts.
5
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.5. and/or TPL-004-0, Requirement R1.4.
Standard TPL-004-0a System Performance Following Extreme BES Events
8 of 10
model a single point of failure of a protection system component that may prevent correct operation of
a protection system, including other protection systems impacted by that failed component based on
the as-built design of that protection system?
There is a lack of clarity whether footnote (e) in Table 1 requires the study and/or simulation of a failure
of a protection system component (i.e., single point of failure) that may prevent correct operation of
the protection system(s) impacted by the component failure. Protection systems that share a
protection system component are fully dependent upon the correct operation of that single shared
component and do not perform as two independent protection systems. This lack of clarity may result
in a potential reliability gap.
Clarity is necessary as to whether (1) a valid assessment should include evaluation of delayed clearing
due to failure of the protection system component (i.e., single point of failure), such as the failure of a
shared protection system component, that produces the more severe system results or impacts; and (2)
the study and/or simulation of the fault clearing sequence and protection system(s) operation should
be based on the protection system(s) as-built design.
The lack of clarity is compounded by the similarity between the phrase Delayed Clearing used in TPL-
003-0a and TPL-004-0, footnote (e), and the NERC glossary term Delayed Fault Clearing. While TPL-
003-0a and TPL-004-0 do not use the glossary term, the similarity may lead to confusion and
inconsistency in how entities apply footnote (e) to stuck breaker or protection system failure
contingency assessments.
Question 1
For the parenthetical (stuck breaker or protection system failure) in TPL-003-0a (Category C
contingencies 6-9) and TPL-004-0 (Category D contingencies 1-4), does an entity have the option of
evaluating the effects
9
of either stuck breaker or protection system failure contingency
10
Response 1
, or does
an applicable entity have to evaluate the contingency that produces the more severe system results or
impacts as identified in R1.3.1 of both standards?
The interpretation drafting team concludes that the Planning Authority and Transmission Planner must
evaluate the situation that produces the more severe system results or impacts (i.e., TPL-003-0a, R1.3.1
and TPL-004-0, R1.3.1) due to a delayed clearing condition regardless of whether the condition resulted
6
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.5.
7
As required by NERC Reliability Standard TPL-004-0, Requirement R1.4.
8
Footnote (e) Delayed Clearing: failure of any protection system component such as a relay, circuit breaker, or
current transformer, and not because of an intentional design delay,
9
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.3.10. and/or TPL-004-0, Requirement
R1.3.7.
10
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.5. and/or TPL-004-0, Requirement R1.4.
Standard TPL-004-0a System Performance Following Extreme BES Events
9 of 10
from a stuck breaker or protection system failure. The Reliability Standards TPL-003-0a (Table I,
Category C contingencies 6-9) and TPL-004-0 (Table I, Category D contingencies 1-4) involve an
assessment of the effects of either a stuck breaker or a protection system failure. The single line
ground (SLG) (TPL-003-0a, Table I, Category C) Fault and 3-phase (3) (TPL-004-0, Table I, Category D)
Fault contingencies with delayed clearing are further defined by footnote (e) and the parenthetical
phrase (stuck breaker or protection system failure). Footnote (e) explains that Delayed clearing of a
Fault is due to failure of any protection system component such as a relay, circuit breaker, or current
transformer, and not because of an intentional design delay. The parenthetical further emphasizes
that the failure may be a stuck breaker or protection system failure that causes the delayed clearing
of the fault. The text in Table 1 in either standard explains that when selecting delayed clearing
contingencies to evaluate, both conditions (stuck breaker or protection system failure) must be
considered.
Question 2
For the phrase Delayed Clearing
11
used in Category C
12
contingencies 6-9 and Category D
13
contingencies 1-4, to what extent does the description in Table 1, footnote (e)
14
Response 2
require an entity to
model a single point of failure of a protection system component that may prevent correct operation of
a protection system, including other protection systems impacted by that failed component based on
the as-built design of that protection system?
The term Delayed Clearing that is described in Table I, footnote (e) refers to fault clearing that results
from a failure to achieve the protection systems normally expected clearing time. For Category C or D
contingencies, each Planning Authority and Transmission Planner is permitted engineering judgment in
its selection of the protection system component failures for evaluation that would produce the more
severe system results or impact (i.e., TPL-003-0a, R1.3.1 and TPL-004-0, R1.3.1). The evaluation would
include addressing all protection systems affected by the selected component.
A protection system component failure that impacts one or more protection systems and increases the
total fault clearing time requires the Planning Authority and Transmission Planner to simulate the full
impact (clearing time and facilities removed) on the Bulk Electric System performance.
The interpretation drafting team bases this conclusion on the footnote (e) example any protection
system component such as, relay, circuit breaker, or current transformer... because the component
circuit breaker is not addressed in the current or previously defined NERC glossary term. The
interpretation drafting team initially believed the lowercase usage of protection system inferred the
11
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.5. and/or TPL-004-0, Requirement R1.4.
12
As required by NERC Reliability Standard TPL-003-0a, Requirement R1.5.
13
As required by NERC Reliability Standard TPL-004-0, Requirement R1.4.
14
Footnote (e) Delayed Clearing: failure of any protection system component such as a relay, circuit breaker, or
current transformer, and not because of an intentional design delay,
Standard TPL-004-0a System Performance Following Extreme BES Events
10 of 10
NERC glossary term and the components described therein; however, based on the interpretation
drafting teams further assessment of footnote (e), it concludes that the existing TPL standards (TPL-
003-0a and TPL-004-0) do not implicitly use the NERC glossary term. Without an explicit reference to
the NERC glossary term, Protection System, the two standards do not prescribe the specific
protection system components that must be addressed by the Planning Authority and Transmission
Planner in performing the studies required in TPL-003-0a and TPL-004-0.
Standard TPL-004-2 System Performance Following Extreme BES Events
1 of 7
A. Introduction
1. Title: System Performance Following Extreme Events Resulting in the Loss of Two or
More Bulk Electric System Elements (Category D)
2. Number: TPL-004-2
3. Purpose: System simulations and associated assessments are needed periodically to ensure that
reliable systems are developed that meet specified performance requirements, with sufficient
lead time and continue to be modified or upgraded as necessary to meet present and future
System needs.
4. Applicability:
4.1. Planning Authority
4.2. Transmission Planner
5. Effective Date: The application of revised Footnote b in Table 1 will take effect on the
first day of the first calendar quarter, 60 months after approval by applicable regulatory
authorities. In those jurisdictions where regulatory approval is not required, the effective date
will be the first day of the first calendar quarter, 60 months after Board of Trustees adoption or
as otherwise made effective pursuant to the laws applicable to such ERO governmental
authorities. All other requirements remain in effect per previous approvals. The existing
Footnote b remains in effect until the revised Footnote b becomes effective.
B. Requirements
R1. The Planning Authority and Transmission Planner shall each demonstrate through a valid
assessment that its portion of the interconnected transmission system is evaluated for the risks
and consequences of a number of each of the extreme contingencies that are listed under
Category D of Table I. To be valid, the Planning Authoritys and Transmission Planners
assessment shall:
R1.1. Be made annually.
R1.2. Be conducted for near-term (years one through five).
R1.3. Be supported by a current or past study and/or system simulation testing that
addresses each of the following categories, showing system performance following
Category D contingencies of Table I. The specific elements selected (from within
each of the following categories) for inclusion in these studies and simulations shall
be acceptable to the associated Regional Reliability Organization(s).
R1.3.1. Be performed and evaluated only for those Category D contingencies that would
produce the more severe system results or impacts. The rationale for the
contingencies selected for evaluation shall be available as supporting
information. An explanation of why the remaining simulations would produce
less severe system results shall be available as supporting information.
R1.3.2. Cover critical system conditions and study years as deemed appropriate by the
responsible entity.
R1.3.3. Be conducted annually unless changes to system conditions do not warrant
such analyses.
R1.3.4. Have all projected firm transfers modeled.
R1.3.5. Include existing and planned facilities.
Standard TPL-004-2 System Performance Following Extreme BES Events
2 of 7
R1.3.6. Include Reactive Power resources to ensure that adequate reactive resources
are available to meet system performance.
R1.3.7. Include the effects of existing and planned protection systems, including any
backup or redundant systems.
R1.3.8. Include the effects of existing and planned control devices.
R1.3.9. Include the planned (including maintenance) outage of any bulk electric
equipment (including protection systems or their components) at those demand
levels for which planned (including maintenance) outages are performed.
R1.4. Consider all contingencies applicable to Category D.
R2. The Planning Authority and Transmission Planner shall each document the results of its
reliability assessments and shall annually provide the results to its entities respective NERC
Regional Reliability Organization(s), as required by the Regional Reliability Organization.
B. Measures
M1. The Planning Authority and Transmission Planner shall have a valid assessment for its system
responses as specified in Reliability Standard TPL-004-2_R1.
M2. The Planning Authority and Transmission Planner shall provide evidence to its Compliance
Monitor that it reported documentation of results of its reliability assessments per Reliability
Standard TPL-004-2_R1.
C. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Compliance Monitor: Regional Reliability Organization.
Each Compliance Monitor shall report compliance and violations to NERC via the
NERC Compliance Reporting Process.
1.2. Compliance Monitoring Period and Reset Timeframe
Annually.
1.3. Data Retention
None specified.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance
2.1. Level 1: A valid assessment, as defined above, for the near-term planning horizon
is not available.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: Not applicable.
D. Regional Differences
1. None identified.
Standard TPL-004-2 System Performance Following Extreme BES Events
3 of 7
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
1 February 17,
2011
Approved by the Board of Trustees;
revised footnote b pursuant to FERC
Order RM06-16-009.
Revised (Project 2010-
11)
1 April 19, 2012 FERC issued Order 762 remanding
TPL-001-1, TPL-002-1b, TPL-003-1a,
and TPL-004-1. FERC also issued a
NOPR proposing to remand TPL-001-2.
NERC has been directed to revise
footnote 'b' in accordance with the
directives of Order Nos. 762 and 693.
2 February 7,
2013
Adopted by NERC Board of Trustees.
Revised footnote b.
Standard TPL-004-2 System Performance Following Extreme BES Events
4 of 7
Table I. Transmission System Standards Normal and Emergency Conditions
Category
Contingencies System Limits or Impacts
Initiating Event(s) and Contingency
Element(s)
System Stable
and both
Thermal and
Voltage
Limits within
Applicable
Rating
a
Loss of Demand
or
Curtailed Firm
Transfers
Cascading
Outages
A
No Contingencies
All Facilities in Service
Yes
No
No
B
Event resulting in
the loss of a single
element.
Single Line Ground (SLG) or 3-Phase (3) Fault,
with Normal Clearing:
1. Generator
2. Transmission Circuit
3. Transformer
Loss of an Element without a Fault.
Yes
Yes
Yes
Yes
No
b
No
b
No
b
No
b
No
No
No
No
Single Pole Block, Normal Clearing
e
:
4. Single Pole (dc) Line
Yes
No
b
No
C
Event(s) resulting in
the loss of two or
more (multiple)
elements.
SLG Fault, with Normal Clearing
e
:
1. Bus Section
2. Breaker (failure or internal Fault)
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
No
No
SLG or 3 Fault, with Normal Clearing
e
, Manual
SystemAdjustments, followed by another SLG or
3 Fault, with Normal Clearing
e
:
3. Category B (B1, B2, B3, or B4)
contingency, manual systemadjustments,
followed by another Category B (B1, B2,
B3, or B4) contingency
Yes
Planned/
Controlled
c
No
Bipolar Block, with Normal Clearing
e
:
4. Bipolar (dc) Line Fault (non 3), with
Normal Clearing
e
:
5. Any two circuits of a multiple circuit
towerline
f
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
No
No
SLG Fault, with Delayed Clearing
e
(stuck breaker
or protection systemfailure):
6. Generator
7. Transformer
8. Transmission Circuit
9. Bus Section
Yes
Yes
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
Planned/
Controlled
c
Planned/
Controlled
c
No
No
No
No
Standard TPL-004-2 System Performance Following Extreme BES Events
5 of 7
D
d
Extreme event resulting in
two or more (multiple)
elements removed or
Cascading out of service
3 Fault, with Delayed Clearing
e
(stuck breaker or protection system
failure):
1. Generator 3. Transformer
2. Transmission Circuit 4. Bus Section
3 Fault, with Normal Clearing
e
:
5. Breaker (failure or internal Fault)
6. Loss of towerline with three or more circuits
7. All transmission lines on a common right-of way
8. Loss of a substation (one voltage level plus transformers)
9. Loss of a switching station (one voltage level plus transformers)
10. Loss of all generating units at a station
11. Loss of a large Load or major Load center
12. Failure of a fully redundant Special Protection System(or
remedial action scheme) to operate when required
13. Operation, partial operation, or misoperation of a fully redundant
Special Protection System(or Remedial Action Scheme) in
response to an event or abnormal systemcondition for which it
was not intended to operate
14. Impact of severe power swings or oscillations fromDisturbances
in another Regional Reliability Organization.
Evaluate for risks and
consequences.
May involve substantial loss of
customer Demand and
generation in a widespread
area or areas.
Portions or all of the
interconnected systems may
or may not achieve a new,
stable operating point.
Evaluation of these events may
require joint studies with
neighboring systems.
a) Applicable rating refers to the applicable Normal and Emergency facility thermal Rating or System Voltage Limit as
determined and consistently applied by the system or facility owner. Applicable Ratings may include Emergency Ratings
applicable for short durations as required to permit operating steps necessary to maintain system control. All Ratings
must be established consistent with applicable NERC Reliability Standards addressing Facility Ratings.
b) An objective of the planning process is to minimize the likelihood and magnitude of interruption of firm transfers or Firm
Demand following Contingency events. Curtailment of firm transfers is allowed when achieved through the appropriate
re-dispatch of resources obligated to re-dispatch, where it can be demonstrated that Facilities, internal and external to the
Transmission Planners planning region, remain within applicable Facility Ratings and the re-dispatch does not result in
the shedding of any Firm Demand. For purposes of this footnote, the following are not counted as Firm Demand: (1)
Demand directly served by the Elements removed from service as a result of the Contingency, and (2) Interruptible
Demand or Demand-Side Management Load. In limited circumstances, Firm Demand may be interrupted throughout the
planning horizon to ensure that BES performance requirements are met. However, when interruption of Firm Demand is
utilized within the Near-Term Transmission Planning Horizon to address BES performance requirements, such
interruption is limited to circumstances where the use of Firm Demand interruption meets the conditions shown in
Attachment 1. In no case can the planned Firm Demand interruption under footnote b exceed 75 MW for US registered
entities. The amount of planned Non-Consequential Load Loss for a non-US Registered Entity should be implemented in
a manner that is consistent with, or under the direction of, the applicable governmental authority or its agency in the non-
US jurisdiction.
c) Depending on system design and expected system impacts, the controlled interruption of electric supply to customers
(load shedding), the planned removal from service of certain generators, and/or the curtailment of contracted Firm (non-
recallable reserved) electric power Transfers may be necessary to maintain the overall reliability of the interconnected
transmission systems.
d) A number of extreme contingencies that are listed under Category D and judged to be critical by the transmission
planning entity(ies) will be selected for evaluation. It is not expected that all possible facility outages under each listed
contingency of Category D will be evaluated.
e) Normal clearing is when the protection system operates as designed and the Fault is cleared in the time normally expected
with proper functioning of the installed protection systems. Delayed clearing of a Fault is due to failure of any protection
system component such as a relay, circuit breaker, or current transformer, and not because of an intentional design delay.
f) System assessments may exclude these events where multiple circuit towers are used over short distances (e.g., station
entrance, river crossings) in accordance with Regional exemption criteria.
Standard TPL-004-2 System Performance Following Extreme BES Events
6 of 7
Attachment 1
I. Stakeholder Process
During each Planning Assessment before the use of Firm Demand interruption under footnote b
is allowed as an element of a Corrective Action Plan in the Near-Term Transmission Planning
Horizon of the Planning Assessment, the Transmission Planner or Planning Coordinator shall
ensure that the utilization of footnote b is reviewed through an open and transparent
stakeholder process. The responsible entity can utilize an existing process or develop a new
process. The process must include the following:
1. Meetings must be open to affected stakeholders including applicable regulatory
authorities or governing bodies responsible for retail electric service issues
2. Notice must be provided in advance of meetings to affected stakeholders including
applicable regulatory authorities or governing bodies responsible for retail electric service
issues and include an agenda with:
a. Date, time, and location for the meeting
b. Specific location(s) of the planned Firm Demand interruption under footnote b
c. Provisions for a stakeholder comment period
3. Information regarding the intended purpose and scope of the proposed Firm Demand
interruption under footnote b (as shown in Section II below) must be made available to
meeting participants
4. A procedure for stakeholders to submit written questions or concerns and to receive
written responses to the submitted questions and concerns
5. A dispute resolution process for any question or concern raised in #4 above that is not
resolved to the stakeholders satisfaction
An entity does not have to repeat the stakeholder process for a specific application of footnote
b utilization with respect to subsequent Planning Assessments unless conditions spelled out in
Section II below have materially changed for that specific application.
II. Information for Inclusion in Item #3 of the Stakeholder Process
The responsible entity shall document the planned use of Firm Demand interruption under
footnote b which must include the following:
1. Conditions under which Firm Demand interruption under footnote b would be
necessary:
a. System Load level and estimated annual hours of exposure at or above that Load
level
b. Applicable Contingencies and the Facilities outside their applicable rating due to
that Contingency
2. Amount of Firm Demand MW to be interrupted with:
a. The estimated number and type of customers affected
Standard TPL-004-2 System Performance Following Extreme BES Events
7 of 7
b. An explanation of the effect of the use of Firm Demand interruption under
footnote b on the health, safety, and welfare of the community
3. Estimated frequency of Firm Demand interruption under footnote b based on historical
performance
4. Expected duration of Firm Demand interruption under footnote b based on historical
performance
5. Future plans to alleviate the need for Firm Demand interruption under footnote b
6. Verification that TPL Reliability Standards performance requirements will be met
following the application of footnote b
7. Alternatives to Firm Demand interruption considered and the rationale for not selecting
those alternatives under footnote b
8. Assessment of potential overlapping uses of footnote b including overlaps with adjacent
Transmission Planners and Planning Coordinators
III. Instances for which Regulatory Review of Interruptions of Firm Demand under Footnote b
is Required
Before a Firm Demand interruption under footnote b is allowed as an element of a Corrective
Action Plan in Year One of the Planning Assessment, the Transmission Planner or Planning
Coordinator must ensure that the applicable regulatory authorities or governing bodies
responsible for retail electric service issues do not object to the use of Firm Demand interruption
under footnote b if either:
1. The voltage level of the Contingency is greater than 300 kV
a. If the Contingency analyzed involves BES Elements at multiple System voltage
levels, the lowest System voltage level of the element(s) removed for the
analyzed Contingency determines the stated performance criteria regarding
allowances for Firm Demand interruptions under footnote b, or
b. For a non-generator step up transformer outage Contingency, the 300 kV limit
applies to the low-side winding (excluding tertiary windings). For a generator or
generator step up transformer outage Contingency, the 300 kV limit applies to the
BES connected voltage (high-side of the Generator Step Up transformer)
2. The planned Firm Demand interruption under footnote b is greater than or equal to 25
MW
Once assurance has been received that the applicable regulatory authorities or governing bodies
responsible for retail electric service issues do not object to the use of Firm Demand interruption
under footnote b, the Planning Coordinator or Transmission Planner must submit the
information outlined in items II.1 through II.8 above to the ERO for a determination of whether
there are any Adverse Reliability Impacts caused by the request to utilize footnote b for Firm
Demand interruption.
Standard TPL-004-2a System Performance Following Extreme BES Events
1 of 12
A. Introduction
1. Title: System Performance Following Extreme Events Resulting in the Loss of Two or
More Bulk Electric System Elements (Category D)
2. Number: TPL-004-2a
3. Purpose: System simulations and associated assessments are needed periodically to ensure that
reliable systems are developed that meet specified performance requirements, with sufficient
lead time and continue to be modified or upgraded as necessary to meet present and future
System needs.
4. Applicability:
4.1. Planning Authority
4.2. Transmission Planner
5. Effective Date: The application of revised Footnote b in Table 1 will take effect on the
first day of the first calendar quarter, 60 months after approval by applicable regulatory
authorities. In those jurisdictions where regulatory approval is not required, the effective date
will be the first day of the first calendar quarter, 60 months after Board of Trustees adoption or
as otherwise made effective pursuant to the laws applicable to such ERO governmental
authorities. All other requirements remain in effect per previous approvals. The existing
Footnote b remains in effect until the revised Footnote b becomes effective.
B. Requirements
R1. The Planning Authority and Transmission Planner shall each demonstrate through a valid
assessment that its portion of the interconnected transmission system is evaluated for the risks
and consequences of a number of each of the extreme contingencies that are listed under
Category D of Table I. To be valid, the Planning Authoritys and Transmission Planners
assessment shall:
R1.1. Be made annually.
R1.2. Be conducted for near-term (years one through five).
R1.3. Be supported by a current or past study and/or system simulation testing that
addresses each of the following categories, showing system performance following
Category D contingencies of Table I. The specific elements selected (from within
each of the following categories) for inclusion in these studies and simulations shall
be acceptable to the associated Regional Reliability Organization(s).
R1.3.1. Be performed and evaluated only for those Category D contingencies that would
produce the more severe system results or impacts. The rationale for the
contingencies selected for evaluation shall be available as supporting
information. An explanation of why the remaining simulations would produce
less severe system results shall be available as supporting information.
R1.3.2. Cover critical system conditions and study years as deemed appropriate by the
responsible entity.
R1.3.3. Be conducted annually unless changes to system conditions do not warrant
such analyses.
R1.3.4. Have all projected firm transfers modeled.
R1.3.5. Include existing and planned facilities.
Standard TPL-004-2a System Performance Following Extreme BES Events
2 of 12
R1.3.6. Include Reactive Power resources to ensure that adequate reactive resources
are available to meet system performance.
R1.3.7. Include the effects of existing and planned protection systems, including any
backup or redundant systems.
R1.3.8. Include the effects of existing and planned control devices.
R1.3.9. Include the planned (including maintenance) outage of any bulk electric
equipment (including protection systems or their components) at those demand
levels for which planned (including maintenance) outages are performed.
R1.4. Consider all contingencies applicable to Category D.
R2. The Planning Authority and Transmission Planner shall each document the results of its
reliability assessments and shall annually provide the results to its entities respective NERC
Regional Reliability Organization(s), as required by the Regional Reliability Organization.
B. Measures
M1. The Planning Authority and Transmission Planner shall have a valid assessment for its system
responses as specified in Reliability Standard TPL-004-2_R1.
M2. The Planning Authority and Transmission Planner shall provide evidence to its Compliance
Monitor that it reported documentation of results of its reliability assessments per Reliability
Standard TPL-004-2_R1.
C. Compliance
1. Compliance Monitoring Process
1.1. Compliance Monitoring Responsibility
Compliance Monitor: Regional Reliability Organization.
Each Compliance Monitor shall report compliance and violations to NERC via the
NERC Compliance Reporting Process.
1.2. Compliance Monitoring Period and Reset Timeframe
Annually.
1.3. Data Retention
None specified.
1.4. Additional Compliance Information
None.
2. Levels of Non-Compliance
2.1. Level 1: A valid assessment, as defined above, for the near-term planning horizon
is not available.
2.2. Level 2: Not applicable.
2.3. Level 3: Not applicable.
2.4. Level 4: Not applicable.
D. Regional Differences
1. None identified.
Standard TPL-004-2a System Performance Following Extreme BES Events
3 of 12
Version History
Version Date Action Change Tracking
0 April 1, 2005 Effective Date New
1 February 17,
2011
Approved by the Board of Trustees;
revised footnote b pursuant to FERC
Order RM06-16-009.
Revised (Project 2010-
11)
1 April 19, 2012 FERC issued Order 762 remanding
TPL-001-1, TPL-002-1b, TPL-003-1a,
and TPL-004-1. FERC also issued a
NOPR proposing to remand TPL-001-2.
NERC has been directed to revise
footnote 'b' in accordance with the
directives of Order Nos. 762 and 693.
2 February 7,
2013
Adopted by NERC Board of Trustees.
Revised footnote b.
2a February 7,
2013
Interpretation adopted by NERC Board
of Trustees.
Standard TPL-004-2a System Performance Following Extreme BES Events
4 of 12
Table I. Transmission System Standards Normal and Emergency Conditions
Category
Contingencies System Limits or Impacts
Initiating Event(s) and Contingency
Element(s)
System Stable
and both
Thermal and
Voltage
Limits within
Applicable
Rating
a
Loss of Demand
or
Curtailed Firm
Transfers
Cascading
Outages
A
No Contingencies
All Facilities in Service
Yes
No
No
B
Event resulting in
the loss of a single
element.
Single Line Ground (SLG) or 3-Phase (3) Fault,
with Normal Clearing:
1. Generator
2. Transmission Circuit
3. Transformer
Loss of an Element without a Fault.
Yes
Yes
Yes
Yes
No
b
No
b
No
b
No
b
No
No
No
No
Single Pole Block, Normal Clearing
e
:
4. Single Pole (dc) Line
Yes
No
b
No
C
Event(s) resulting in
the loss of two or
more (multiple)
elements.
SLG Fault, with Normal Clearing
e
:
1. Bus Section
2. Breaker (failure or internal Fault)
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
No
No
SLG or 3 Fault, with Normal Clearing
e
, Manual
SystemAdjustments, followed by another SLG or
3 Fault, with Normal Clearing
e
:
3. Category B (B1, B2, B3, or B4)
contingency, manual systemadjustments,
followed by another Category B (B1, B2,
B3, or B4) contingency
Yes
Planned/
Controlled
c
No
Bipolar Block, with Normal Clearing
e
:
4. Bipolar (dc) Line Fault (non 3), with
Normal Clearing
e
:
5. Any two circuits of a multiple circuit
towerline
f
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
No
No
SLG Fault, with Delayed Clearing
e
(stuck breaker
or protection systemfailure):
6. Generator
7. Transformer
8. Transmission Circuit
9. Bus Section
Yes
Yes
Yes
Yes
Planned/
Controlled
c
Planned/
Controlled
c
Planned/
Controlled
c
Planned/
Controlled
c
No
No
No
No
Standard TPL-004-2a System Performance Following Extreme BES Events
5 of 12
D
d
Extreme event resulting in
two or more (multiple)
elements removed or
Cascading out of service
3 Fault, with Delayed Clearing
e
(stuck breaker or protection system
failure):
1. Generator 3. Transformer
2. Transmission Circuit 4. Bus Section
3 Fault, with Normal Clearing
e
:
5. Breaker (failure or internal Fault)
6. Loss of towerline with three or more circuits
7. All transmission lines on a common right-of way
8. Loss of a substation (one voltage level plus transformers)
9. Loss of a switching station (one voltage level plus transformers)
10. Loss of all generating units at a station
11. Loss of a large Load or major Load center
12. Failure of a fully redundant Special Protection System(or
remedial action scheme) to operate when required
13. Operation, partial operation, or misoperation of a fully redundant
Special Protection System(or Remedial Action Scheme) in
response to an event or abnormal systemcondition for which it
was not intended to operate
14. Impact of severe power swings or oscillations fromDisturbances
in another Regional Reliability Organization.
Evaluate for risks and
consequences.
May involve substantial loss of
customer Demand and
generation in a widespread
area or areas.
Portions or all of the
interconnected systems may
or may not achieve a new,
stable operating point.
Evaluation of these events may
require joint studies with
neighboring systems.
a) Applicable rating refers to the applicable Normal and Emergency facility thermal Rating or System Voltage Limit as
determined and consistently applied by the system or facility owner. Applicable Ratings may include Emergency Ratings
applicable for short durations as required to permit operating steps necessary to maintain system control. All Ratings
must be established consistent with applicable NERC Reliability Standards addressing Facility Ratings.
b) An objective of the planning process is to minimize the likelihood and magnitude of interruption of firm transfers or Firm
Demand following Contingency events. Curtailment of firm transfers is allowed when achieved through the appropriate
re-dispatch of resources obligated to re-dispatch, where it can be demonstrated that Facilities, internal and external to the
Transmission Planners planning region, remain within applicable Facility Ratings and the re-dispatch does not result in
the shedding of any Firm Demand. For purposes of this footnote, the following are not counted as Firm Demand: (1)
Demand directly served by the Elements removed from service as a result of the Contingency, and (2) Interruptible
Demand or Demand-Side Management Load. In limited circumstances, Firm Demand may be interrupted throughout the
planning horizon to ensure that BES performance requirements are met. However, when interruption of Firm Demand is
utilized within the Near-Term Transmission Planning Horizon to address BES performance requirements, such
interruption is limited to circumstances where the use of Firm Demand interruption meets the conditions shown in
Attachment 1. In no case can the planned Firm Demand interruption under footnote b exceed 75 MW for US registered
entities. The amount of planned Non-Consequential Load Loss for a non-US Registered Entity should be implemented in
a manner that is consistent with, or under the direction of, the applicable governmental authority or its agency in the non-
US jurisdiction.
c) Depending on system design and expected system impacts, the controlled interruption of electric supply to customers
(load shedding), the planned removal from service of certain generators, and/or the curtailment of contracted Firm (non-
recallable reserved) electric power Transfers may be necessary to maintain the overall reliability of the interconnected
transmission systems.
d) A number of extreme contingencies that are listed under Category D and judged to be critical by the transmission
planning entity(ies) will be selected for evaluation. It is not expected that all possible facility outages under each listed
contingency of Category D will be evaluated.
e) Normal clearing is when the protection system operates as designed and the Fault is cleared in the time normally expected
with proper functioning of the installed protection systems. Delayed clearing of a Fault is due to failure of any protection
system component such as a relay, circuit breaker, or current transformer, and not because of an intentional design delay.
f) System assessments may exclude these events where multiple circuit towers are used over short distances (e.g., station
entrance, river crossings) in accordance with Regional exemption criteria.
Standard TPL-004-2a System Performance Following Extreme BES Events
6 of 12
Attachment 1
I. Stakeholder Process
During each Planning Assessment before the use of Firm Demand interruption under footnote b
is allowed as an element of a Corrective Action Plan in the Near-Term Transmission Planning
Horizon of the Planning Assessment, the Transmission Planner or Planning Coordinator shall
ensure that the utilization of footnote b is reviewed through an open and transparent
stakeholder process. The responsible entity can utilize an existing process or develop a new
process. The process must include the following:
1. Meetings must be open to affected stakeholders including applicable regulatory
authorities or governing bodies responsible for retail electric service issues
2. Notice must be provided in advance of meetings to affected stakeholders including
applicable regulatory authorities or governing bodies responsible for retail electric service
issues and include an agenda with:
a. Date, time, and location for the meeting
b. Specific location(s) of the planned Firm Demand interruption under footnote b
c. Provisions for a stakeholder comment period
3. Information regarding the intended purpose and scope of the proposed Firm Demand
interruption under footnote b (as shown in Section II below) must be made available to
meeting participants
4. A procedure for stakeholders to submit written questions or concerns and to receive
written responses to the submitted questions and concerns
5. A dispute resolution process for any question or concern raised in #4 above that is not
resolved to the stakeholders satisfaction
An entity does not have to repeat the stakeholder process for a specific application of footnote
b utilization with respect to subsequent Planning Assessments unless conditions spelled out in
Section II below have materially changed for that specific application.
II. Information for Inclusion in Item #3 of the Stakeholder Process
The responsible entity shall document the planned use of Firm Demand interruption under
footnote b which must include the following:
1. Conditions under which Firm Demand interruption under footnote b would be
necessary:
a. System Load level and estimated annual hours of exposure at or above that Load
level
b. Applicable Contingencies and the Facilities outside their applicable rating due to
that Contingency
2. Amount of Firm Demand MW to be interrupted with:
a. The estimated number and type of customers affected
Standard TPL-004-2a System Performance Following Extreme BES Events
7 of 12
b. An explanation of the effect of the use of Firm Demand interruption under
footnote b on the health, safety, and welfare of the community
3. Estimated frequency of Firm Demand interruption under footnote b based on historical
performance
4. Expected duration of Firm Demand interruption under footnote b based on historical
performance
5. Future plans to alleviate the need for Firm Demand interruption under footnote b
6. Verification that TPL Reliability Standards performance requirements will be met
following the application of footnote b
7. Alternatives to Firm Demand interruption considered and the rationale for not selecting
those alternatives under footnote b
8. Assessment of potential overlapping uses of footnote b including overlaps with adjacent
Transmission Planners and Planning Coordinators
III. Instances for which Regulatory Review of Interruptions of Firm Demand under Footnote b
is Required
Before a Firm Demand interruption under footnote b is allowed as an element of a Corrective
Action Plan in Year One of the Planning Assessment, the Transmission Planner or Planning
Coordinator must ensure that the applicable regulatory authorities or governing bodies
responsible for retail electric service issues do not object to the use of Firm Demand interruption
under footnote b if either:
1. The voltage level of the Contingency is greater than 300 kV
a. If the Contingency analyzed involves BES Elements at multiple System voltage
levels, the lowest System voltage level of the element(s) removed for the
analyzed Contingency determines the stated performance criteria regarding
allowances for Firm Demand interruptions under footnote b, or
b. For a non-generator step up transformer outage Contingency, the 300 kV limit
applies to the low-side winding (excluding tertiary windings). For a generator or
generator step up transformer outage Contingency, the 300 kV limit applies to the
BES connected voltage (high-side of the Generator Step Up transformer)
2. The planned Firm Demand interruption under footnote b is greater than or equal to 25
MW
Once assurance has been received that the applicable regulatory authorities or governing bodies
responsible for retail electric service issues do not object to the use of Firm Demand interruption
under footnote b, the Planning Coordinator or Transmission Planner must submit the
information outlined in items II.1 through II.8 above to the ERO for a determination of whether
there are any Adverse Reliability Impacts caused by the request to utilize footnote b for Firm
Demand interruption.
Standard TPL-004-2a System Performance Following Extreme BES Events
8 of 12
Appendix 1
Interpretation 2012-INT-02: Response to Request for Interpretation of TPL-003-0a,
Requirements R1.3.1, R1.3.10 and R1.5 and TPL-004-0, Requirements R1.3.1, R1.3.7 and R1.4
for the System Protection and Control Subcommittee
Datesubmitted: December12,2011
ThefollowinginterpretationsofTPL0030a,SystemPerformanceFollowingLossofTwoorMoreBulk
ElectricSystemElements(CategoryC),RequirementsR1.3.1,R1.3.10andR1.5andTPL0040,System
PerformanceFollowingExtremeEventsResultingintheLossofTwoorMoreBulkElectricSystem
Elements(CategoryD),RequirementsR1.3.1,R1.37andR1.4weredevelopedbymembersoftheAssess
TransmissionFutureNeedsStandardDraftingTeam(ATFNSTD),ProtectionSystemMisoperations
StandardDevelopmentTeam(PSMSDT),andProtectionSystemMaintenanceandTestingStandard
DraftingTeam(PSMTSDT).
Standard Requirement (and text)
TPL0030a R1.3.1BeperformedandevaluatedonlyforthoseCategoryCcontingenciesthat
wouldproducethemoreseveresystemresultsorimpacts.Therationaleforthe
contingenciesselectedforevaluationshallbeavailableassupportinginformation.
Anexplanationofwhytheremainingsimulationswouldproducelessseveresystem
resultsshallbeavailableassupportinginformation.
TPL0030a R1.3.10.Includetheeffectsofexistingandplannedprotectionsystems,including
anybackuporredundantsystems.
TPL0030a R1.5.ConsiderallcontingenciesapplicabletoCategoryC.
TPL0040 R1.3.1.BeperformedandevaluatedonlyforthoseCategoryDcontingenciesthat
wouldproducethemoreseveresystemresultsorimpacts.Therationaleforthe
contingenciesselectedforevaluationshallbeavailableassupportinginformation.
Anexplanationofwhytheremainingsimulationswouldproducelessseveresystem
resultsshallbeavailableassupportinginformation.
TPL0040 R1.3.7.Includetheeffectsofexistingandplannedprotectionsystems,includingany
backuporredundantsystems.
TPL0040 R1.4.ConsiderallcontingenciesapplicabletoCategoryD.
Please explain the clarification needed (as submitted).
ThisinterpretationrequesthasbeendevelopedtoaddressCommissionconcernsrelatedtotheterm
SinglePointofFailureandhowitrelatestosystemperformanceandcontingencyplanning
clarificationregardingthefollowingquestionsaboutthelistedstandards,requirementsandterms.
Morespecifically,clarificationisneededaboutthecomprehensivestudyofsystemperformance
Standard TPL-004-2a System Performance Following Extreme BES Events
9 of 12
relatingtoTable1s,CategoryCandDcontingencyofaprotectionsystemfailureandspecificallythe
impactoffailedcomponents(i.e.,SinglePointofFailure).Itisnotentirelyclearwhetheravalid
assessmentofaprotectionsystemfailureincludesevaluationofsharedornonredundantprotection
systemcomponents.Protectionsystemsthathaveasharedprotectionsystemcomponentarenottwo
independentprotectionsystems,becausebothprotectionsystemswillbemutuallyimpactedfora
failureofasinglesharedcomponent.Aprotectionsystemcomponentevaluationwouldincludethe
evaluationoftheconsequencesonsystemperformanceforthefailureofanyprotectionsystem
componentthatisintegraltotheoperationoftheprotectionsystembeingevaluatedandtothe
operationofanotherprotectionsystem.
OnMarch30,2009,NERCissuedanIndustryAdvisoryProtectionSystemSinglePointofFailure
1
(i.e.,
NERCAlert)forthreesignificantevents.Oneofwhich,theWestwingoutage(June14,2004)was
causedbyfailureofasingleauxiliaryrelaythatinitiatedbothbreakertrippingandthebreakerfailure
protection.Sincebreakertrippingandbreakerfailureprotectionbothsharedthesameauxiliaryrelay,
therewasnoindependencebetweenbreakertrippingandbreakerfailureprotectionsystems,therefore
causingbothprotectionsystemstonotoperateforthesinglecomponentfailureoftheauxiliaryrelay.
Thefailureofthisauxiliaryrelayisknownasasinglepointoffailure.Itisnotclearwhetherthis
situationiscomprehensivelyaddressedbytheapplicableentitieswhenmakingavalidassessmentof
systemperformanceforbothCategoryCandDcontingencies.
Question1:Fortheparenthetical(stuckbreakerorprotectionsystemfailure)inTPL0030a(Category
Ccontingencies69)andTPL0040(CategoryDcontingencies14),doesanentityhavetheoptionof
evaluatingtheeffects
2
ofeitherstuckbreakerorprotectionsystemfailurecontingency
3
,ordoesan
applicableentityhavetoevaluatethecontingencythatproducesthemoreseveresystemresultsor
impactsasidentifiedinR1.3.1ofbothstandards?
ThereisalackofclaritywhetherR1.3.1
4
requiresanentitytoassesswhichcontingencycausesthemost
severesystemresultsorimpacts(R1.3.1)andthisambiguitycouldresultinapotentialreliabilitygap.
Whetherthesimulationofastuckbreakerorprotectionsystemfailurewillproducetheworstresult
dependsontheprotectionsystemdesign.Forexamplewhenaprotectionsystemisfullyredundant,a
protectionsystemfailurewillnotaffectfaultclearing;therefore,astuckbreakerwouldresultinmore
severesystemresultsorimpacts.However,whenaprotectionsystemfailureaffectsfaultclearing,the
faultclearingtimemaybelongerthanthebreakerfailureprotectionclearingtimeforastuckbreaker
contingencyandmayresultintrippingofadditionalsystemelements,resultinginamoreseveresystem
response.
Question2:ForthephraseDelayedClearing
5
usedinCategoryC
6
contingencies69andCategoryD
7
contingencies14,towhatextentdoesthedescriptioninTable1,footnote(e)
8
requireanentityto
1
NERCWebsite:(http://www.nerc.com/fileUploads/File/Events%20Analysis/A2009033001.pdf)
2
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.3.10.and/orTPL0040,Requirement
R1.3.7.
3
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
4
BeperformedandevaluatedonlyforthoseCategory(TPL0030aCategoryCandTPL0040CategoryD)
contingenciesthatwouldproducethemoreseveresystemresultsorimpacts.
5
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
6
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.
Standard TPL-004-2a System Performance Following Extreme BES Events
10 of 12
modelasinglepointoffailureofaprotectionsystemcomponentthatmaypreventcorrectoperationof
aprotectionsystem,includingotherprotectionsystemsimpactedbythatfailedcomponentbasedon
theasbuiltdesignofthatprotectionsystem?
Thereisalackofclaritywhetherfootnote(e)inTable1requiresthestudyand/orsimulationofafailure
ofaprotectionsystemcomponent(i.e.,singlepointoffailure)thatmaypreventcorrectoperationof
theprotectionsystem(s)impactedbythecomponentfailure.Protectionsystemsthatsharea
protectionsystemcomponentarefullydependentuponthecorrectoperationofthatsingleshared
componentanddonotperformastwoindependentprotectionsystems.Thislackofclaritymayresult
inapotentialreliabilitygap.
Clarityisnecessaryastowhether(1)avalidassessmentshouldincludeevaluationofdelayedclearing
duetofailureoftheprotectionsystemcomponent(i.e.,singlepointoffailure),suchasthefailureofa
sharedprotectionsystemcomponent,thatproducesthemoreseveresystemresultsorimpacts;and(2)
thestudyand/orsimulationofthefaultclearingsequenceandprotectionsystem(s)operationshould
bebasedontheprotectionsystem(s)asbuiltdesign.
ThelackofclarityiscompoundedbythesimilaritybetweenthephraseDelayedClearingusedinTPL
0030aandTPL0040,footnote(e),andtheNERCglossarytermDelayedFaultClearing.WhileTPL
0030aandTPL0040donotusetheglossaryterm,thesimilaritymayleadtoconfusionand
inconsistencyinhowentitiesapplyfootnote(e)tostuckbreakerorprotectionsystemfailure
contingencyassessments.
Question1
Fortheparenthetical(stuckbreakerorprotectionsystemfailure)inTPL0030a(CategoryC
contingencies69)andTPL0040(CategoryDcontingencies14),doesanentityhavetheoptionof
evaluatingtheeffects
9
ofeitherstuckbreakerorprotectionsystemfailurecontingency
10
,ordoes
anapplicableentityhavetoevaluatethecontingencythatproducesthemoreseveresystemresultsor
impactsasidentifiedinR1.3.1ofbothstandards?
Response1
TheinterpretationdraftingteamconcludesthatthePlanningAuthorityandTransmissionPlannermust
evaluatethesituationthatproducesthemoreseveresystemresultsorimpacts(i.e.,TPL0030a,R1.3.1
andTPL0040,R1.3.1)duetoadelayedclearingconditionregardlessofwhethertheconditionresulted
fromastuckbreakerorprotectionsystemfailure.TheReliabilityStandardsTPL0030a(TableI,
7
AsrequiredbyNERCReliabilityStandardTPL0040,RequirementR1.4.
8
Footnote(e)DelayedClearing:failureofanyprotectionsystemcomponentsuchasarelay,circuitbreaker,or
currenttransformer,andnotbecauseofanintentionaldesigndelay,
9
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.3.10.and/orTPL0040,Requirement
R1.3.7.
10
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
Standard TPL-004-2a System Performance Following Extreme BES Events
11 of 12
CategoryCcontingencies69)andTPL0040(TableI,CategoryDcontingencies14)involvean
assessmentoftheeffectsofeitherastuckbreakeroraprotectionsystemfailure.Thesingleline
ground(SLG)(TPL0030a,TableI,CategoryC)Faultand3phase(3)(TPL0040,TableI,CategoryD)
Faultcontingencieswithdelayedclearingarefurtherdefinedbyfootnote(e)andtheparenthetical
phrase(stuckbreakerorprotectionsystemfailure).Footnote(e)explainsthatDelayedclearingofa
Faultisduetofailureofanyprotectionsystemcomponentsuchasarelay,circuitbreaker,orcurrent
transformer,andnotbecauseofanintentionaldesigndelay.Theparentheticalfurtheremphasizes
thatthefailuremaybeastuckbreakerorprotectionsystemfailurethatcausesthedelayedclearing
ofthefault.ThetextinTable1ineitherstandardexplainsthatwhenselectingdelayedclearing
contingenciestoevaluate,bothconditions(stuckbreakerorprotectionsystemfailure)mustbe
considered.
Question2
ForthephraseDelayedClearing
11
usedinCategoryC
12
contingencies69andCategoryD
13
contingencies14,towhatextentdoesthedescriptioninTable1,footnote(e)
14
requireanentityto
modelasinglepointoffailureofaprotectionsystemcomponentthatmaypreventcorrectoperationof
aprotectionsystem,includingotherprotectionsystemsimpactedbythatfailedcomponentbasedon
theasbuiltdesignofthatprotectionsystem?
Response2
ThetermDelayedClearingthatisdescribedinTableI,footnote(e)referstofaultclearingthatresults
fromafailuretoachievetheprotectionsystemsnormallyexpectedclearingtime.ForCategoryCorD
contingencies,eachPlanningAuthorityandTransmissionPlannerispermittedengineeringjudgmentin
itsselectionoftheprotectionsystemcomponentfailuresforevaluationthatwouldproducethemore
severesystemresultsorimpact(i.e.,TPL0030a,R1.3.1andTPL0040,R1.3.1).Theevaluationwould
includeaddressingallprotectionsystemsaffectedbytheselectedcomponent.
Aprotectionsystemcomponentfailurethatimpactsoneormoreprotectionsystemsandincreasesthe
totalfaultclearingtimerequiresthePlanningAuthorityandTransmissionPlannertosimulatethefull
impact(clearingtimeandfacilitiesremoved)ontheBulkElectricSystemperformance.
Theinterpretationdraftingteambasesthisconclusiononthefootnote(e)exampleanyprotection
systemcomponentsuchas,relay,circuitbreaker,orcurrenttransformer...becausethecomponent
circuitbreakerisnotaddressedinthecurrentorpreviouslydefinedNERCglossaryterm.The
interpretationdraftingteaminitiallybelievedthelowercaseusageofprotectionsysteminferredthe
NERCglossarytermandthecomponentsdescribedtherein;however,basedontheinterpretation
11
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.and/orTPL0040,RequirementR1.4.
12
AsrequiredbyNERCReliabilityStandardTPL0030a,RequirementR1.5.
13
AsrequiredbyNERCReliabilityStandardTPL0040,RequirementR1.4.
14
Footnote(e)DelayedClearing:failureofanyprotectionsystemcomponentsuchasarelay,circuitbreaker,or
currenttransformer,andnotbecauseofanintentionaldesigndelay,
Standard TPL-004-2a System Performance Following Extreme BES Events
12 of 12
draftingteamsfurtherassessmentoffootnote(e),itconcludesthattheexistingTPLstandards(TPL
0030aandTPL0040)donotimplicitlyusetheNERCglossaryterm.Withoutanexplicitreferenceto
theNERCglossaryterm,ProtectionSystem,thetwostandardsdonotprescribethespecific
protectionsystemcomponentsthatmustbeaddressedbythePlanningAuthorityandTransmission
PlannerinperformingthestudiesrequiredinTPL0030aandTPL0040.
[
Archive]
ACE 3/12/2007 6/8/2007 Means the instantaneous difference between net actual and
scheduled interchange, taking into account the effects of
Frequency Bias including correction for meter error.
Automatic
Generation Control
[Archive]
AGC 3/12/2007 6/8/2007 Means equipment that automatically adjusts a Control Areas
generation from a central location to maintain its interchange
schedule plus Frequency Bias.
Automatic Time
Error Correction
[Archive]
3/26/2008 5/21/2009 A frequency control automatic action that a Balancing Authority
uses to offset its frequency contribution to support the
Interconnections scheduled frequency.
Automatic Time
Error Correction
[Archive]
12/19/2012 The addition of a component to the ACE equation that modifies
the control point for the purpose of continuously paying back
Primary Inadvertent Interchange to correct accumulated time
error.
Average
Generation
[Archive]
3/12/2007 6/8/2007 Means the total MWh generated within the Balancing Authority
Operators Balancing Authority Area during the prior year
divided by 8760 hours (8784 hours if the prior year had 366
days).
Business Day
[Archive]
3/12/2007 6/8/2007 Means any day other than Saturday, Sunday, or a legal public
holiday as designated in section 6103 of title 5, U.S. Code.
Glossary of Terms Used in NERC Reliability Standards 72
WECC Regional
Term
Acronym
BOT
Approved
Date
FERC
Approved
Date
Definition
Commercial
Operation
[Archive]
10/29/2008 4/21/2011 Achievement of this designation indicates that the
Generator Operator or Transmission Operator of the
synchronous generator or synchronous condenser has received
all approvals necessary for operation after completion of initial
start-up testing.
Contributing
Schedule
[Archive]
2/10/2009 3/17/2011 A Schedule not on the Qualified Transfer Path between a
Source Balancing Authority and a Sink Balancing Authority that
contributes unscheduled flow across the Qualified Transfer
Path.
Dependability-
Based Misoperation
[Archive]
10/29/2008 4/21/2011 Is the absence of a Protection System or RAS operation when
intended. Dependability is a component of reliability and is the
measure of a devices certainty to operate when required.
Disturbance
[Archive]
3/12/2007 6/8/2007 Means (i) any perturbation to the electric system, or (ii) the
unexpected change in ACE that is caused by the sudden loss of
generation or interruption of load.
Glossary of Terms Used in NERC Reliability Standards 73
WECC Regional
Term
Acronym
BOT
Approved
Date
FERC
Approved
Date
Definition
Extraordinary
Contingency
[Archive]
3/12/2007 6/8/2007 Shall have the meaning set out in Excuse of Performance,
section B.4.c.
language in section B.4.c:
means any act of God, actions by a non-affiliated third party,
labor disturbance, act of the public enemy, war, insurrection,
riot, fire, storm or flood, earthquake, explosion, accident to or
breakage, failure or malfunction of machinery or equipment, or
any other cause beyond the Reliability Entitys reasonable
control; provided that prudent industry standards (e.g.
maintenance, design, operation) have been employed; and
provided further that no act or cause shall be considered an
Extraordinary Contingency if such act or cause results in any
contingency contemplated in any WECC Reliability Standard
(e.g., the Most Severe Single Contingency as defined in the
WECC Reliability Criteria or any lesser contingency).
Frequency Bias
[Archive]
3/12/2007 6/8/2007 Means a value, usually given in megawatts per 0.1 Hertz,
associated with a Control Area that relates the difference
between scheduled and actual frequency to the amount of
generation required to correct the difference.
Functionally
Equivalent
Protection System
[Archive]
FEPS 10/29/2008 4/21/2011 A Protection System that provides performance as follows:
Each Protection System can detect the same faults within the
zone of protection and provide the clearing times and
coordination needed to comply with all Reliability Standards.
Each Protection System may have different components and
operating characteristics.
Functionally
Equivalent RAS
[Archive]
FERAS 10/29/2008 4/21/2011 A Remedial Action Scheme (RAS) that provides the same
performance as follows:
Each RAS can detect the same conditions and provide
Glossary of Terms Used in NERC Reliability Standards 74
WECC Regional
Term
Acronym
BOT
Approved
Date
FERC
Approved
Date
Definition
mitigation to comply with all Reliability Standards.
Each RAS may have different components and operating
characteristics.
Generating Unit
Capability
[Archive]
3/12/2007 6/8/2007 Means the MVA nameplate rating of a generator.
Non-spinning
Reserve
[Archive]
3/12/2007 6/8/2007 Means that Operating Reserve not connected to the system but
capable of serving demand within a specified time, or
interruptible load that can be removed from the system in a
specified time.
Normal Path
Rating
[Archive]
3/12/2007 6/8/2007 Is the maximum path rating in MW that has been demonstrated
to WECC through study results or actual operation, whichever
is greater. For a path with transfer capability limits that vary
seasonally, it is the maximum of all the seasonal values.
Operating Reserve
[Archive]
3/12/2007 6/8/2007 Means that capability above firm system demand required to
provide for regulation, load-forecasting error, equipment forced
and scheduled outages and local area protection. Operating
Reserve consists of Spinning Reserve and Nonspinning
Reserve.
Operating Transfer
Capability Limit
[Archive]
OTC 3/12/2007 6/8/2007 Means the maximum value of the most critical system
operating parameter(s) which meets: (a) precontingency
criteria as determined by equipment loading capability and
acceptable voltage conditions, (b) transient criteria as
determined by equipment loading capability and acceptable
voltage conditions, (c) transient performance criteria, and (d)
post-contingency loading and voltage criteria.
Glossary of Terms Used in NERC Reliability Standards 75
WECC Regional
Term
Acronym
BOT
Approved
Date
FERC
Approved
Date
Definition
Primary
Inadvertent
Interchange
[Archive]
3/26/2008 5/21/2009 The component of area (n) inadvertent interchange caused by
the regulating deficiencies of the area (n).
Qualified
Controllable Device
[Archive]
2/10/2009 3/17/2011 A controllable device installed in the Interconnection for
controlling energy flow and the WECC Operating Committee
has approved using the device for controlling the USF on the
Qualified Transfer Paths.
Qualified Transfer
Path
[Archive]
2/10/2009 3/17/2011 A transfer path designated by the WECC Operating Committee
as being qualified for WECC unscheduled flow mitigation.
Qualified Transfer
Path Curtailment
Event
[Archive]
2/10/2009 3/17/2011 Each hour that a Transmission Operator calls for Step 4 or
higher for one or more consecutive hours (See Attachment 1
IRO-006-WECC-1) during which the curtailment tool is
functional.
Relief Requirement
[Archive]
2/10/2009 3/17/2011 The expected amount of the unscheduled flow reduction on the
Qualified Transfer Path that would result by curtailing each Sink
Balancing Authoritys Contributing Schedules by the
percentages listed in the columns of WECC Unscheduled Flow
Mitigation Summary of Actions Table in Attachment 1 WECC
IRO-006-WECC-1.
Secondary
Inadvertent
Interchange
[Archive]
3/26/2008 5/21/2009 The component of area (n) inadvertent interchange caused by
the regulating deficiencies of area (i).
Security-Based
Misoperation
10/29/2008 4/21/2011 A Misoperation caused by the incorrect operation of a
Protection System or RAS. Security is a component of reliability
Glossary of Terms Used in NERC Reliability Standards 76
WECC Regional
Term
Acronym
BOT
Approved
Date
FERC
Approved
Date
Definition
[Archive] and is the measure of a devices certainty not to operate
falsely.
Spinning Reserve
[Archive]
3/12/2007 6/8/2007 Means unloaded generation which is synchronized and ready to
serve additional demand. It consists of Regulating reserve and
Contingency reserve (as each are described in Sections B.a.i
and ii).
Transfer
Distribution Factor
[Archive]
TDF 2/10/2009 3/17/2011 The percentage of USF that flows across a Qualified Transfer
Path when an Interchange Transaction (Contributing Schedule)
is implemented. [See the WECC Unscheduled Flow Mitigation
Summary of Actions Table (Attachment 1 WECC IRO-006-
WECC-1).]
WECC Table 2
[Archive]
3/12/2007 6/8/2007 Means the table maintained by the WECC identifying those
transfer paths monitored by the WECC regional Reliability
coordinators. As of the date set out therein, the transmission
paths identified in Table 2 are as listed in Attachment A to this
Standard.
Endnotes
FERC approved the WECC Tier One Reliability Standards in the Order Approving Regional Reliability Standards for the Western Interconnection and Directing Modifications, 119
FERC 61,260 (June 8, 2007). In that Order, FERC directed WECC to address the inconsistencies between the regional definitions and the NERC Glossary in developing permanent
replacement standards. The replacement standards designed to address the shortcomings were filed with FERC in 2009.
NERC Reliability Standards Complete Set Page 1 of 13
Change History
NERC Reliability Standards Complete Set Change History Table
Date Standard Requirement Change that was made
7/9/13
Glossary of Terms replaced with the
updated version
7/1/13
EOP-005-2, EOP-006-2, &
EOP-008-1
Updated VRFs and VSLs based on June
24, 2013 approval.
7/1/13
EOP-001-0.1b, EOP-005-
1, EOP-006-1, EOP-008-0,
EOP-009-0 & VAR-002-
1.1b
Retired Removed
6/20/13
EOP-004-2, TPL-003-0b,
TPL-004-0a & VAR-001-3
FERC Approved Added
6/20/13
TPL-003-0a & TPL-004-0
Retired Removed
6/10/13 TOP-007-WECC-1
Modified the VRF for Requirement R1
from "Medium" to "High" and the VRF for
Requirement R2 from "Low" to "Medium"
5/13/13 PRC-024-1
NERC BOT Approved Added
5/13/13
Glossary of Terms replaced with the
updated version
5/13/13 IRO-001-2
Retired Removed
NERC Reliability Standards Complete Set Page 2 of 13
Change History
Date Standard Requirement Change that was made
5/13/13 CIP-007-3 & CIP-007-4
The version number was updated to
(CIP-007-3a & CIP-007-4a) to
incorporate the approved interpretation
that should have previously been
appended.
5/13/13 FAC-003-2
Board of Trustees adopted the
modification of the VRF for Requirement
R2 of FAC-003-2 by raising the VRF from
Medium to High.
4/23/13 PER-002-0 & PER-004-1
Retired Removed
4/17/13 VAR-002-2b
FERC Approved Added
4/9/13 MOD-027-1 Footnote Update
4/5/13 TOP-006-3
Updated Rapid revision to
accommodate interpretation request for
Requirements R1.2 & R3. Updates
made to the VSL table.
4/5/13 PRC-006-SERC-01
Updated Modified the Rationale and
changed the VRF for Requirement R6
from Medium to High per a
compliance filing (Filed on 3/11/13)
4/5/13 FAC-003-2
FERC Approved Added
Glossary of Terms replaced with the
updated version
4/5/13
CIP-002-3a, CIP-002-4a,
CIP-006-3d & CIP-006-4d
Removed FERC remanded these
interpretations in an order issued on
3/21/13
NERC Reliability Standards Complete Set Page 3 of 13
Change History
Date Standard Requirement Change that was made
4/5/13 CIP-002-3b
Updated FERC Order issued
remanding interpretation of R3 for Duke
Energy; interpretation removed from
standard (previously Appendix 1)
4/1/13 FAC-012-1 & FAC-013-1
Retired Removed
4/1/13
Glossary of Terms replaced with the
updated version
3/12/13 BAL-003-1
Updated the standard to include
Attachment A.
3/08/13 CIP-002-4b
Removed (CIP-002-4b was removed
because the interpretation of R1.2.5 was
inadvertently appended to the standard
and does not apply to version 4 of CIP-
002.)
3/01/13 PRC-006-NPCC-1 FERC Approved Added
2/15/13 Various standards
Updated requirements and associated
elements approved by NERC Board of
Trustees for retirement as part of the
Paragraph 81 project (Project 2013-02)
pending applicable regulatory approval.
2/15/13
BAL-003-1, CIP-002-3b,
CIP-002-4b, IRO-006-
WECC-2, MOD-025-2,
MOD-026-1, MOD-027-1,
PRC-019-1, TPL-001-3,
TPL 001 4 TPL 002 2b
NERC BOT Approved Added
Glossary of Terms replaced with the
updated version
1/30/13
CIP-004-5, CIP-005-5,
CIP-006-5, CIP-007-5,
CIP-008-5, CIP-009-5,
CIP-010-1& CIP-011-1
Updated the standards by moving the
Reference to Prior Version and Change
Rationale to the Rationale section of the
standard.
NERC Reliability Standards Complete Set Page 4 of 13
Change History
Date Standard Requirement Change that was made
1/11/13
Glossary of Terms replaced with the
updated version
1/9/13 PRC-006-SERC01 FERC Approved Added
01/03/13 FAC-008-1 & FAC-009-1 Retired Removed
12/21/12
BAL-001-1 & BAL-004-
WECC-02
NERC BOT Approved Added
Glossary of Terms replaced with the
updated version
12/21/12 PRC-004-1a Retired Removed
12/13/12 CIP-004-3a & CIP-004-4a
FERC Letter Order issued on December
12, 2012, approving the Interpretation of
R2 R3 and R4
12/3/12
CIP-002-5, CIP0035,
NERC BOT Approved Added
Glossary of Terms replaced with the
updated version
11/19/12 PRC-006-1
FERC Letter Order issued on November
9, 2012, accepting the modification of the
VRF in R5 from (Medium to High) and
the modification of the VSL language in
R8.
11/15/12
BAL-002-WECC-2, BAL-
002-1a, COM-001-2,
COM-002-3, EOP-004-2,
PRC-005-2, PRC-006-
NERC BOT Approved Added
11/7/12 BAL-002-WECC-1
Retired Removed (Remanded in
FERC Order, effective November 26,
2010)
11/7/12 MOD-025-RFC-01
Retired Removed (The NERC BOT
withdrew its approval of this standard at
its meeting on November 7, 2012)
10/19/12
Glossary of Terms replaced with the
updated version
NERC Reliability Standards Complete Set Page 5 of 13
Change History
Date Standard Requirement Change that was made
10/17/12 EOP-005-2 & EOP-006-2
Updated the standard to remove the
VRFs and VSLs, as they are not yet
FERC approved.
10/15/12
Glossary of Terms replaced with the
updated version
10/3/12
PER-003-0
Retired Removed
9/27/12 TOP-003-1
Updated the standard to remove the
VSLs, as they are not yet FERC
approved.
9/20/12
Glossary of Terms replaced with the
updated version
9/20/12
BAL-005-0.2b, EOP-001-
0.1b, EOP-001-2.1b, EOP-
002 3 1 IRO 00 3 1
FERC Approved Added
9/20/12 PRC-001-2
Capitalized Protection System to conform
with errata changes made in PRC-001-
1.1
8/20/12
IRO-001-3 & VAR-002-2b
NERC BOT Approved Added
8/20/12
BAL-004-1
Retired Removed (The NERC BOT
withdrew its approval of this standard at
7/30/12
CIP-004-3a & CIP-004-4a
NERC BOT Approved Added
7/18/12 BAL-502-RFC-02, EOP-
Updated the FERC Order date in the
7/17/12 IRO-010-1a
Updated the FERC Order date in the
version history table
7/6/12 FAC-003-3
Removed Regional Entity from the title
of 1.2 of the Compliance section and
corrected the headings of Table 2, page
3
7/6/12 FAC-003-2
Corrected the Compliance section of the
proposed standard per NERCs 4/24/12
Errata filing
7/6/12
TPL-001-1, TPL-002-1b,
TPL-003-1a, TPL-004-1
Retired Removed (Remanded in
4/19/12 FERC Order, effective 7/6/12)
6/26/12 TPL-002-0b
Updated the FERC Order date in the
version history table
NERC Reliability Standards Complete Set Page 6 of 13
Change History
Date Standard Requirement Change that was made
6/7/12 PRC-001-2 NERC BOT Approved Added
6/4/12 IRO-006-TRE-1 FERC Approved Added
6/1/12 FAC-008-3
FERC Order issued directing the VRF for
Requirement R2. be changed from
Lower to Medium
6/1/12 FAC-013-2
FERC Order issued directing the VRFs
for Requirement R1. and R4. be changed
from Lower to Medium.
FERC Order issued correcting the High
and Severe VSL language for R1.
5/31/12 FAC-003-3
Corrected footnote references throughout
the standard.
5/25/12 FAC-003-3
NERC BOT Approved Added
Glossary of Terms also replaced with the
updated version
5/16/12 EOP-003-2 & PRC-006-1 FERC Approved Added
5/14/12
CIP-002-3a, CIP-002-4a,
PRC-005-1.1b, TOP-001-
2, TOP-002-3, TOP-003-2,
VAR-001-3 NERC BOT Approved Added
5/8/12
TPL-001-1, TPL-002-1b,
TPL-003-1a, & TPL-004-1
Updated the version history for TPL-001-
1, TPL-002-1b, TPL-003-1a, & TPL-004-
1 due to FERC Order issuing a remand
(order becomes effective July 6, 2012).
5/3/12
CIP-002-4, CIP-003-4,
CIP-004-4, CIP-005-4a,
CIP-006-4c, CIP-007-4,
CIP-008-4, & CIP-009-4
FERC Approved Added
5/2/12 BAL-002-0 Retired Removed
5/2/12 IRO-006-WECC-1
Updated the requirements to R1. and R2.
instead of R.1. and R1.2.
4/12/12 PRC-005-1b
Added footnote to Interpretation b to note
that the interpretation will be superseded
when the modified definition of Protection
System becomes effective.
4/12/12
NUC-001-2.1, PRC-001-
1.1, & TOP-002-2.1b
Errata Standards Committee Approved
Added (NUC-001-2.1 & PRC-001-1.1).
TOP-002-2.1b- Additional errata adopted
by Standards Committee; (Deleted
language from retired sub-requirement
from Measure M7).
NERC Reliability Standards Complete Set Page 7 of 13
Change History
Date Standard Requirement Change that was made
3/29/12 PRC-023-2
FERC Approved Added
3/29/12
BAL-005-0.1b, BAL-005-
0.2b & EOP-001-2.1b,
MOD-016-1.1, MOD-017-
0.1, MOD-019-0.1, PRC-
016-0.1,TPL-001-0.1
Updated the version history for BAL-005-
0.1b, BAL-005-0.2b, MOD-016-1.1,
MOD-017-0.1, MOD-019-0.1, PRC-016-
0.1 and TPL-001-0.1 to remove the
reference to the footer.
The version history was also updated for
EOP-001-2.1b to correct the version for
the errata entry.
3/22/12 Interpretations & Errata
Removed footers from all interpretations
and errata to avoid confusion regarding
what the BOT adoption date pertains to
(going forward, footers will no longer be
included in reliability standards)
3/20/12
BAL-005-0.2b, EOP-001-
0.1b, EOP-001-2.1b, EOP-
002-3.1, IRO-005-3.1a,
PER-001-0.2, TOP-002-
2.1b Standards Committee Approved - Added
3/14/12 PRC-005-1a
All Requirements
and Sub-
requirements Retired Removed
3/8/12 CIP-006-4c
Updated the footer to include the Board
Approval dates and updated the lettering.
3/8/12 IRO-005-3a
Updated the footer to include the Board
Approval dates and updated the version
history.
3/8/12 BAL-STD-002-0 Updated the Header
3/8/12 CIP-006-3d & CIP-006-4d
Added footer to include Board Approval
dates & removed unnecessary lettering.
2/28/12 EOP-001-0b
Removed footnote in Appendix 2. This
footnote was prematurely added and the
error in the Appendix will be corrected
through an errata. The footer was also
updated to include the BOT adoption
dates of the standard and the
interpretations.
2/28/12 TOP-002-2b
Added FERC Approved language back
in to the effective date section. This
language is an error that was
prematurely deleted and will be corrected
through an errata. The footer was also
updated to include the BOT adoption
dates of the standard and the
NERC Reliability Standards Complete Set Page 8 of 13
Change History
Date Standard Requirement Change that was made
interpretations.
2/27/12 PRC-005-1b
All Requirements
and Sub-
requirements
FERC Approved Added
2/22/12 EOP-007-0
All Requirements
and Sub-
requirements Withdrawn Removed
2/22/12
CIP-006-3d, CIP-006-4d,
COM-002-2a, FAC-001-1,
MOD-028-2, PRC-004-
2.1a, PRC-006-NPCC-1
All Requirements
and Sub-
requirements NERC BOT Approved Added
2/8/12
Replaced the Glossary of Terms with the
updated version
01/12/11
Replaced the Glossary of Terms with the
updated version
01/12/11
EOP-001-2b
EOP-001-2
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
01/12/11
EOP-001-0b
EOP-001-0
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
12/13/11
Replaced the Glossary of Terms with the
updated version
12/13/11 FAC-008-3, FAC-013-2
All Requirements
and Sub-
requirements FERC Approved Added
12/13/11
FAC-003-2, MOD-025-
RFC-01, PRC-006-SERC-
01, IRO-006-TRE-1
All Requirements
and Sub-
requirements NERC BOT Approved Added
12/13/11 TOP-001-1
All Requirements
and Sub-
requirements Retired Removed
10/26/11
Replaced the Glossary of Terms with the
updated version
10/26/11
TOP-002-2a, PRC-002-
NPCC-01
All Requirements
and Sub-
requirements FERC Approved Added
10/26/11 TPL-002-0a, TOP-002-2a
All Requirements
and Sub-
requirements Retired Removed
10/26/11 PRC-006-1
Updated to correct formatting of chart in
NERC Reliability Standards Complete Set Page 9 of 13
Change History
Date Standard Requirement Change that was made
Attachment 1
10/10/11
PRC-004-2a
PRC-004-2
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
10/10/11
PRC-005-1a
PRC-005-1
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
10/10/11
PRC-004-1a
PRC-004-1
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
10/10/11 PER-003-1
All Requirements
and Sub-
requirements FERC Approved Added
10/03/11 IRO-006-EAST-1
Updated to remove the section including
definitions used in the standard
(consistent with the version posted on
the Reliability Standards page)
10/03/11 CIP-006-3c, CIP-006-4c
All Requirements
and Sub-
requirements
Updated version history and order of
interpretations
10/03/11
CIP-001-1a, EOP-002-2.1,
FAC-002-0, IRO-002-1,
IRO-004-1, IRO-005-2a,
PRC-STD-001-1, PRC-
STD-003-1, TOP-003-0,
TOP-005-1.1a, TOP-006-
1, VAR-001-1
All Requirements
and Sub-
requirements Retired Removed
09/27/11 TOP-001-1a, TPL-002-0b
All Requirements
and Sub-
requirements FERC Approved Added
08/18/11
IRO-001-2, IRO-002-3,
IRO-005-4, IRO-014-2,
TPL-001-2
All Requirements
and Sub-
requirements NERC BOT Approved Added
08/18/11 EOP-001-0b, EOP-001-2b
All Requirements
and Sub-
requirements
NERC BOT Approved Added
(previously missing from the complete
set)
08/18/11 IRO-010-1
All Requirements
and Sub-
requirements Retired Removed
08/11/11 TOP-001-1a
All Requirements
and Sub-
requirements
NERC BOT Approved Added
(previously missing from the complete
set)
08/05/11
BAL-002-WECC-1, BAL-
004-1, BAL-004-WECC-
Footers updated to include/correct NERC
NERC Reliability Standards Complete Set Page 10 of 13
Change History
Date Standard Requirement Change that was made
01, BAL-STD-002-0, CIP-
006-3c, FAC-501-WECC-
1, PRC-001-1, PRC-002-
NPCC-01, PRC-004-
WECC-1, PRC-STD-001-
1, PRC-STD-003-1, TOP-
007-WECC-1, VAR-002-
WECC-1, VAR-501-
WECC-1
BOT approval dates
08/05/11 CIP-001-2a
All Requirements
and Sub-
requirements FERC Approved Added
08/04/11
Replaced the Glossary of Terms with the
updated version
07/20/11
PRC-023-2, FAC-008-3,
PRC-002-NPCC-01, CIP-
001-2a, TOP-002-2b
All Requirements
and Sub-
requirements
NERC BOT Approved Added
(previously missing from the complete
set)
07/20/11 EOP-001-2, IRO-004-2
All Requirements
and Sub-
requirements FERC Approved Added
07/20/11 EOP-001-1
All Requirements
and Sub-
requirements Retired Removed
07/19/11 BAL-003-0.1b
Version history updated to be consistent
with prior versions
07/01/11
Replaced the Glossary of Terms with the
updated version
07/01/11
TOP-STD-007-0, PRC-
STD-005-1, VAR-STD-
002a-1, VAR-STD-002b-1,
IRO-006-4.1, IRO-STD-
006-0
All Requirements
and Sub-
requirements Retired Removed
05/26/11
Replaced the Glossary of Terms with the
updated version
05/26/11 IRO-005-3a, TOP-005-2a
All Requirements
and Sub-
requirements
Updated IRO-005-3 and TOP-005-2 to
include FERC Approved Interpretation
05/26/11 TOP-005-1.1, IRO-005-2
All Requirements
and Sub-
requirements Retired Removed
05/19/11 CIP-005-4a, CIP-006-4c
All Requirements
and Sub-
requirements
Updated CIP-005-4 and CIP-006-4 to
include FERC Approved Interpretations
NERC Reliability Standards Complete Set Page 11 of 13
Change History
Date Standard Requirement Change that was made
05/05/11
EOP-008-1, FAC-501-
WECC-1, IRO-005-2a,
IRO-006-5, IRO-006-
EAST-1, PRC-004-WECC-
1, TOP-005-1.1a, TOP-
007-WECC-1, VAR-002-
WECC-1, VAR-501-
WECC-1
All Requirements
and Sub-
requirements FERC Approved Added
04/14/11 CIP-005-2a, CIP-005-3
All Requirements
and Sub-
requirements Removed
04/14/11
CIP-005-3a, EOP-005-2,
EOP-006-2, IRO-005-3,
TOP-005-2
All Requirements
and Sub-
requirements FERC Approved Added
04/08/11
Multiple Standards added and removed
to make the Complete Set of Reliability
Standards current (specific changes will
be noted again going forward)
Glossary of Terms also replaced with the
updated version
06/01/10
CIP Version 1 Standards
MOD-001-0 thru MOD-
005-0, MOD-008-0, MOD-
009-0, and MOD-030-1
All Requirements
and Sub-
requirements Removed
05/03/10 FAC-010-2.1
All Requirements
and Sub-
requirements FERC Approved Added
04/21/10
Replaced the Glossary of Terms with the
updated version
04/09/10 CIP-007-2a
All Requirements
and Sub-
requirements FERC Approved Added
04/09/10 PRC-023-1
All Requirements
and Sub-
requirements FERC Approved Added
04/09/10 CIP Version 3 Standards
All Requirements
and Sub-
requirements NERC BOT Approved Added
12/03/09 TOP-002-2a
All Requirements
and Sub-
requirements FERC Approved Added
11/02/09 BAL-502-RFC-02
All Requirements
and Sub-
NERC BOT Approved Added
NERC Reliability Standards Complete Set Page 12 of 13
Change History
Date Standard Requirement Change that was made
requirements
09/14/09
EOP-001-2
EOP-005-2
EOP-006-2
NUC-001-2
All Requirements
and Sub-
requirements NERC BOT Approved Added
05/20/09
Inserted Change History to End of
Complete Set
05/20/09
CIP-002-2 through CIP-
009-2
All Requirements
and Sub-
requirements NERC BOT Approved Added
05/20/09 IRO-006-4.1
All Requirements
and Sub-
requirements NERC BOT Approved Added
05/20/09 MOD-021-0.1
All Requirements
and Sub-
requirements NERC BOT Approved Added
05/20/09 PER-001-0.1
All Requirements
and Sub-
requirements NERC BOT Approved Added
05/20/09 TPL-006-0.1
All Requirements
and Sub-
requirements NERC BOT Approved Added
05/20/09
BAL-001-0.1a
BAL-001-0a
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
BAL-003-0.1b
BAL-003-0a
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
BAL-005-0.1b
BAL-005-0b
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
COM-001-1.1
COM-001-1
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
EOP-002-2.1
EOP-002-2
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
IRO-001-1.1
IRO-001-1
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09 MOD-006-0.1
All Requirements
FERC Approved Added
NERC Reliability Standards Complete Set Page 13 of 13
Change History
Date Standard Requirement Change that was made
MOD-006-0 and Sub-
requirements
Retired Removed
05/20/09
MOD-016-1.1
MOD-016-1
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
MOD-017-0.1
MOD-017-0
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
MOD-019-0.1
MOD-019-0
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
PRC-016-0.1
PRC-016-0
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
TOP-005-1.1
TOP-005-1
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
TPL-001-0.1
TPL-001-0
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed
05/20/09
VAR-002-1.1a
VAR-002-1a
All Requirements
and Sub-
requirements
FERC Approved Added
Retired Removed