Attachment "C" CIP Data List for Sampling

Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs: Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet. See Phase 2 instructions for more details. Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed) RFC Action Required : RFC supplies the Attachment C to the entity as part of the 90 day notification package. The CIP evidence list (Yellow Tab) is customized for the entity audit scope. Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System Next Steps: After this Workbook is completed, sent to and received by ReliabilityFirst , the audit team will apply a sampling methodology to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.

ReliabilityFirst CIP Evidence List

Standard
CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3 CIP-002-3

Requirement
R1 R1.1 R1.2 R1.2.1 R1.2.2 R1.2.3 R1.2.4 R1.2.5 R1.2.6 R1.2.7

CIP-002-3

R2

CIP-002-3

R3

CIP-002-3

R4

CIP-003-3

R1

CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3

R1.1 R1.2 R1.3 R2 R2.1 R2.2 R2.3 R2.4

CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3 CIP-003-3

R3 R3.1 R3.2 R3.2 R3.3 R4 R4.3 R5 R5.1 R5.1.2 R5.2 R5.3 R6 R6

CIP-004-3 CIP-004-3 CIP-004-3

R1 R1 R2

CIP-004-3 CIP-004-3 CIP-004-3 CIP-004-3 CIP-004-3 CIP-004-3 CIP-004-3

R2.1 R2.2 R2.3 R3 R3 R3.1 R3.2

CIP-004-3

R3.3

CIP-004-3

R4

CIP-004-3 CIP-004-3 CIP-004-3

R4.1 R4.1 R4.2

CIP-004-3

CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3

R1 R1 R1 R1 R1 R1 R2

CIP-005-3

R2.1, R2.2

CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3

R2 R2 R2 R2 R2 R2.44 R2.64 R3 R3 R3 R3 R3 R3.14 R3.24

CIP-005-3

CIP-005-3 CIP-005-3 CIP-005-3 CIP-005-3

R4 R4.1 R4.5 R4.5

CIP-005-3 CIP-005-3

R5 & R5.1 R5.2

CIP-005-3

R5.3

CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3

R1 R1 R1.14 R1.14 R1.2 R1.2 R1.3 R1.3 R1.4 R1.5 R1.6 R1.6 R1.7 R1.8 R2.1 R2.2 R3 R4 R5 R6 R6

CIP-006-3

R7

CIP-006-3 CIP-006-3 CIP-006-3 CIP-006-3

R8 R8.1 R8.2 R8.3

CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3

R1 R1 R1 R1.1 R1.2 R1.3

CIP-007-3

R2 R2.34 R34 R34 R34 R44 R44 R44 R5 R5.1.1

CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3

CIP-007-3

R5.1.2

CIP-007-3

R5.1.3

CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3

R5.2 R5.2 R5.34 R5.34 R5.3.14 R5.3.24 R5.3.34 R64 R64 R6.1 R6.2 R6.2 R6.34 R6.34

CIP-007-3

R6.4, R6.5

CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3 CIP-007-3

R7 R7.3 R8 R8.1 R8.4 R8.4 R9

CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3 CIP-008-3

R1 R1.1 R1.2 R1.2 R1.2 R1.3 R1.3 R1.4 R1.4 R1.5 R1.6 R2

CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3 CIP-009-3

R1 R1 R1.1 R1.1 R1.2 R1 R2 R3 R4 R5

Notes

1. Evidence identified in this listing is the result of each requirement. This listing is intended to provide guidance to the en 2. Evidence identified in this column must be submitted 40 days before the scheduled audit review date. 3. Evidence identified in this column must be submitted as designated by Reliability First .

ReliabilityFirst CIP Evidence List

Evidence1
Provide Risk Based Assessment Methodology (RBAM) Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased Provide evidence that all required BES asset categories were evaluated by the RBAM for inclusion on Critical Asset List Provide evidence that all control centers and backup control centers were considered by the RBAM Provide evidence that all transmission substations were considered by the RBAM, and that evaluation of these assets was performed at the substation level Provide evidence that all generation resources were considered by the RBAM, and that evaluation of these assets was performed at the level of greatest commonality Provide evidence that at least the generator(s) used in the preferred resoration path are identified as Critical Assets If applicable, provide system restoration plan Provide evidence that all automatic load shedding systems meeting the parameters of the standard were considered by the RBAM Provide evidence that all special protection systems were considered by the RBAM Provide evidence of any additional assets considered by the RBAM Provide Critical Asset List derived through annual application of RBAM Provide evidence of annual review of the Critical Asset list Supporting Evidence: For BES assets that were added or acquired, provide evidence that said assets were evaluated by the RBAM Provide list of Critical Cyber Assets Provide evidence that all cyber assets associated with each Critical Asset were evaluated as possible Critical Cyber Assets Supporting Evidence: If a comprehensive list of Cyber Assets was used as the basis for evaluation, provide this list. The list should be 1) grouped by Critical Asset 2) have a unique identifier for the Cyber asset such as a device name 3) the type of Cyber Asset (e.g. server, workstation, network device, etc. 4) The reliability functions the Cyber Asset supports 5) The network segments the Cyber Asset is connected to (network segment identifier or Class C address space as depicted on a network topology diagram). If a comprehensive list of Cyber Assets was not used as a basis for this evaluation, provide an explanation of how the Cyber Assets associated with the Critical Asset were identified for consideration as a Critical Cyber Asset and the list of Cyber Assets considered Provide evidence that the senior manager or delegate approved RBAM, CA list, and CCA list Provide Cyber Security Policy Supporting Evidence: Provide all policies referenced by the cyber security policy that address any of the requirements in CIP-002-3 through CIP009-3 Provide evidence that each version of the cyber security policy addresses each of the requirements in CIP-002-3 through CIP009-3 and contains provision for emergency situations Provide evidence that the Cyber Security Policy, including any policy incorporated by reference, has been made readily available to all personnel with authorized electronic or unescorted physical access to any Critical Cyber Asset Provide evidence that each version of the cyber security policy, including any policy incorporated by reference, has been approved by the senior manager assigned in per R2 Provide evidence of the assignment of a senior manager, including date of designation and effective date of any changes Provide evidence that the assignment of the senior manager includes the required information If applicable, provide the effective date of any change to the assignment of the senior manager If applicable, provide evidence of delegation of authority, including the specific actions for which authority is delegated and the effective date of the delegation If applicable, provide evidence of that exceptions from the requirements of the cyber security policy were documented and authorized by the semior manager or delegate(s).

Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there have been no exceptions to the Cyber Security Policy during the compliance period For each exception to the cyber security policy, provide evidence of the date of approval For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception For each exception to the cyber security policy, provide evidence of any compensating measures For each exception to the cyber security policy, provide evidence of the annual review Provide information protection program Provide evidence of an annual assessment of information protection program Provide access control program Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information Provide evidence of annual review of access privileges Provide evidence of the annual assessment of processes for controlling access privileges to protected information Provide the process for change control and configuration management Provide evidence that the change control and configuration management process has been implemented

Provide awareness program Provide evidence of awareness reinforcement Provide Cyber Security Training Program Supporting Evidence: Addresses to whom it applies, delivery, review, and update frequencies Provide Training Documentation, i.e., attendance records Supporting Evidence: Include all relevant personnel that documents date of authorization and date of training Provide training material that addresses all of R2.2 and its sub requirements Provide training documentation that includes annual training completion dates Provide Personnel Risk Assessment program Provide documentation that specifies when the PRA was conducted and when access was granted Provide documentation that the PRA program includes all elements of R3.1 Provide Personnel Risk Assessment Program language that addresses criteria with respect to "for cause" and schedules for re-assessment Provide documentation of assessment results for all relevant personnel Supporting Evidence: Documentation, i.e., database, application or spreadsheet that shows proof of assessments matched against CIP-004 R4 list(s) Contract agreements and associated documentation Provide list(s), i.e., spreadsheet, database or other application that tracks all electronic and physical access rights Supporting Evidence: Documentation of authorized access approvals Provide documentation that the list(s) is reviewed quarterly and updated within seven days of any change of access Provide documentation that access list(s) for contractors and service vendors are properly maintained Provide documentation that access is revoked within 24 for personnel terminated for cause and within seven calendar days for personnel who no longer need access

Supporting Evidence for CIP-004 R2, R3, & R4: Provide the following in a spreadsheet, database, etc. for anyone with electronic or physical access to a CCA Employee name and ID (unique identifier) Date electronic access granted Specific electronic access granted Date physical access granted Specific physical access granted Date electronic access removed Date physical access removed Date of original training Date of annual training Date initial PRA completed Date PRA updated

For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it resides For each ESP, identify each Cyber Asset residing within the perimeter For each ESP, identify each access point to the ESP For each ESP, identify each cyber asset used in the access control of the ESP For each ESP, identify each cyber asset used in the monitoring of the ESP For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control devices For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber assets, including justification, within the respective ESP. For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by default Provide the procedure for securing dial-up access to each ESP Provide evidence that the procedure for securing dial-up access to each ESP has been implemented, or an attestation that no dial-up access exists for the ESP in question For each ESP, if external interactive access to the ESP has been enabled, describe the controls used to authenticate the user For each access control device, provide the document identifying the content of the acceptable use banner Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points to each ESP Provide evidence that the above processes have been implemented Provide evidence that the above processes are operational twenty-four hours a day, seven days as week If applicable, provide evidence of alerts and notification of response personnel If applicable, provide evidence of review or assessment of access logs Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthorized accesses were detected. If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every 90days. Provide evidence of the 90 days prior to the 90 day notification. For each ESP, provide documentation of the annual cyber vulnerability assessment Provide documentation of vulnerability assessment process Provide documentation of results of annual vulnerability assessment If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan

Provide documentation of annual review for all evidence for CIP-005 Provide evidence that updates to network control documentation were made within 90 days of a change

For Access Points selected provide evidence that access logs are retained for at least ninety calendar days. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
Provide Physical Security Plan Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s) For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset. Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those access points For each PSP, provide evidence that the measures above have been implemented For each PSP, provide documentation of the processes, tools, and procedures for monitoring of physical access to the PSP For each PSP, provide evidence that the processes, tools and procedures above have been implemented Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access controls Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with CIP-004-3 Requirement R4. For each PSP, provide logs of visitor entry and exit For each PSP, provide evidence of continuous escorted access of visitors Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change Provide evidence of an annual review of the Physical Security Plan Provide documentation that physical access control systems are protected from unauthorized physical access Provide documentation that physical access control systems are afforded the protective measures in the referenced requirements; this may be addressed as part of the individual applicable requirements or directly in response to this requirement Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter For each PSP, provide documentation of operational and procedural controls to manage physical access at all access points to the PSP Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification. Provide documentation identifying the methods for logging physical access For each PSP, provide logs of physical entry to the PSP

Provide evidence of physical access logs for the implemented logging solution(s) that demonstrates 90 calendar days worth of logs . Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
For each PSP, provide evidence of a maintenance and testing program for all physical security systems For each PSP, provide evidence of testing and maintenance of all physical security mechanisms For each PSP, provide the retention period for the testing and maintenance records For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring

Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures Provide evidence that all cyber security controls have been included in the test plans Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested. Provide evidence for the past year immediately prior to the 90 day notification. Provide documentation that testing was performed in a manner that minimizes impact on the production environment Provide documentation that testing was performed in a manner that reflects the production environment Provide documentation of test results For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified, provide a description of the port or service and identify the need to that port or service to be enabled

Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide the security patch management program For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.

Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and testing and installation of signatures updates. Provide documentation of the process uses to update anti-malware signatures Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide documentation of technical and procedural controls that enforce access authentication and accountability of all user activity Provide evidence that user accounts are implemented as authorized

Provide evidence of audit trails of individual user account activity demonstrating 90 days worth of logs/audit trails. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
Provide evidence of an annual review of user accounts to verify access privileges

Provide policy on use of administrator, shared, and other generic account privileges Identify those individuals with access to shared accounts Provide evidence that passwords adhere to 5.3 sub requirements as technically feasible Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide explanation of how security status monitoring is implemented Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID# Provide documentation of the mechanisms to monitor security events within each ESP Provide documentation of alerting system configuration Provide a listing of alerts generated by the monitoring systems Provide evidence that logs of system events related to cyber security are maintained Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#

For each Cyber Asset selected provide evidence that logs of system events related to cyber security are maintained and reviewed. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5
Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the ESP Provide records that assets were disposed of or redeployed in accordance with documented procedures Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP Provide documentation of vulnerability assessment process Provide documentation of results of annual cyber vulnerability assessment If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007

Provide Cyber Security Incident Response Plan Provide procedure for characterizing and classifying events as reportable Cyber Security Incidents Provide roles and responsibilities Provide incident handling procedure Provide communication plans Provide process for reporting incidents to the ES-ISAC Provide evidence that all reportable incidents were reported to the ES-ISAC or an assertion that there have been no reportable incidents during the spot check period Provide process for updating response procedures Provide history of Response Plan updates or an assertion that there have been no updates made during the spot check period Provide evidence of annual review Provide history of incident response tests conducted, including 1) type of test (e.g. paper drill, table-top exercise, full response drill, etc.) 2) date of test 3) incident(s) or event(s) tested Provide cyber security incident documentation

Provide Critical Cyber Asset Recovery Plans List the Recovery plan that covers the selected cyber assets. Provide conditions that would invoke the recovery plan Provide recovery actions Provide roles and responsibilities Provide evidence of annual review Provide history of recovery plan exercises conducted, including 1) type of test (e.g. paper drill, table-top exercise, full response drill, etc.) 2) date of test 3) event(s) or condition(s) tested Provide documentation of changes to the recovery plan(s) and documentation of all communications Provide documentation regarding the backup and storage of information Provide documentation of annual testing of backup media

Notes

in this listing is the result of each requirement. This listing is intended to provide guidance to the entities in preparation for their audi in this column must be submitted 40 days before the scheduled audit review date. in this column must be submitted as designated by Reliability First .

40 Days2
X X X X X X X X X X

Upon Request3

X X X X X X X X

Not in Scope Not in Scope Not in Scope Not in Scope Not in Scope Not in Scope Not in Scope X X X X X X

X X X X X X X

See Device Sampling Tab

X See Personnel Sampling Tab See Personnel Sampling Tab

See Personnel Sampling Tab See Personnel Sampling Tab See Personnel Sampling Tab X See Personnel Sampling Tab See Personnel Sampling Tab X

See Personnel Sampling Tab

See Personnel Sampling Tab

X See Personnel Sampling Tab See Personnel Sampling Tab

See Personnel Sampling Tab

X X X X X X X

See Device Sampling Tab

X X X X X X X X X X X X X

See Device Sampling Tab

X X See Device Sampling Tab See Device Sampling Tab

X X See Device Sampling Tab

See Device Sampling Tab

X X X X X X X X X X X X X X X X X X See Device Sampling Tab X X See Device Sampling Tab See Device Sampling Tab

See Device Sampling Tab

X X X X

X X See Device Sampling Tab X X X

See Device Sampling Tab

X X See Device Sampling Tab X See Device Sampling Tab X X X See Personnel Sample Tab

See Device Sampling Tab

See Personnel Sample Tab

X See Personnel Sample Tab See Personnel Sample Tab X X X X X X See Device Sampling Tab See Device Sampling Tab See Device Sampling Tab See Device Sampling Tab X

See Device Sampling Tab

X X X X See Device Sampling Tab See Device Sampling Tab X

X X X X X X X X X X X X

X See Device Sampling Tab X X X X X Not in Scope X X X

nce to the entities in preparation for their audits or continued

Attachment "C" CIP Data List for Sampling Phase 2 Instructions Entity Action Required : Please complete all the worksheets within this spreadsheet and return to ReliabilityFirst no later than seventy five (75) calendar days prior to the scheduled review date of the Compliance Audit Please complete the following worksheets: Critical Assets (List of all Critical Assets) Critical Assets -Name of Critical Asset Asset Function - Enter the function of the Critical Asset, e.g. Primary/Back-Up/Aleternate Control Center, Substation, etc. Responsible Registered Entity- For a combined audit of multiple registered entities Cyber Assets (List of all Cyber Assets and the associated ESP and PSP- Indicate CCA, NCCA, AP, EACM, PACS) Cyber Asset Name - Name of the Cyber Asset Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides ESP Name - Name of ESP containing Cyber Asset PSP Name - Name of PSP containing Cyber Asset Vendor - Name of vendor for identified Cyber Asset Model - Model Name and Number of identified Cyber Asset IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Windows, NT, Linux, Unix, DB/App, N/A, etc. Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc. Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT, Corp Security, etc.) Cyber Asset Type (CCA, NCCA, AP, EACM, PACS) Responsible Registered Entity- For a combined audit of multiple registered entities Personnel (List of all personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and identification of terminated personnel or personnel role changes within the past six (6) months) Name - Name of individual Access Type - Should be Physical, Cyber, or Both Personnel Type - Should be Employee, Contractor, Vendor or Other Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization change. Enter N/A if active employee and no personnel role and responsibility change within past six (6) months. Responsible Registered Entity- For a combined audit of multiple registered entities Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed)

Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System Next Steps: After this Workbook is completed, sent to and received by ReliabilityFirst , the audit team will apply a sampling methodology to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.

Sequential number Critical Asset 1 SOUTHPARK 2 NORTHPARK 3 CEDARCREEK

Asset Function PRIMARY CONTROL CENTER BACK-UP CONTROL CENTER SUBSTATION

Responsible Registered Entity RE1 RE2 RE3

Sequential number 1 2 3 4 5

Cyber Asset Name EXAMPLE_ABC EXAMPLE_DEF EXAMPLE_GHI EXAMPLE_JKL EXAMPLE_MNO

Critical Asset where CCA resides SOUTHPARK NORTHPARK SOUTHPARK SOUTHPARK SOUTHPARK

Name of ESP where CA resides EXAMPLE_PCC EXAMPLE_SCC EXAMPLE_SUBSTATION EXAMPLE_SUBSTATION EXAMPLE_SUBSTATION

Name of PSP where CA resides EXAMPLE_PSP EXAMPLE2_PSP EXAMPLE3_PSP EXAMPLE4_PSP EXAMPLE5_PSP

Vendor IBM HP Gener Gener Gener

Model NetVista AU600 B2NR8NX0D B2NR8NX0D B2NR8NX0D

IOS / Platform or Operating System Windows 2000 TRU64 UNIX N/A N/A N/A

Virtual Machine Yes Yes No No No

Asset Type PC/Laptop Server Relay Router Server

Supporting Organization EMS Corporate IT Substation Corporate IT Corporate IT

Cyber Asset Type Choose only one from Responsible example Registered list Entity CCA NCCA AP EACM PACS RE1 RE2 RE3 RE4 RE5

Sequential number Name 1 LASTNAME, FIRSTNAME 2 LASTNAME2, FIRSTNAME2 3 LASTNAME3, FIRSTNAME3

Access Type Physical Access Cyber Access Both

Personnel Type Contractor Vendor Employee

Date of Termination N/A 12/15/2011 N/A

Date of Personnel Change 12/15/2011 12/15/2011 1/3/2012

Responsible Registered Entity RE1 RE2 RE3

Terminated for Cause? Y/N Y/N Y/N

Sequential number

Critical Cyber Asset Name

Critical Asset where CCA resides

Name of ESP where CCA resides

Name of PSP where CCA resides

Vendor

Model

IOS / Platform or Operating Virtual System Machine

Asset Type

Supporting Organization

Cyber Asset Type

Responsible Registered Entity

CIP3 R6
For the selected Cyber Assets, provide documentation to demonstrate that the change control and configuration management process has been implemented. Provide changes for the past year immediately prior to the 90 day notification.

CIP5 R2.1 ,R 2.2

For R2.1, provide evidence that deny-bydefault policy is deployed to sampled Access Points. For R2.2, provide evidence for each sampled Access Point that Ports and Services are configured/implemente d for operations and for monitoring of cyber assets, including justification, within the respective ESP.

CIP5 R3.2
Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthoriz ed accesses were detected. If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every 90days. Provide evidence of the 90 days

CCA NCCA AP EACM PACS

CIP5 R5.3
For Access Points selected provide evidence that access logs are retained for at least ninety calendar days. Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5

CIP6 R5
Provide evidence that Unauthoriz ed access attempts are reviewed immediatel y and handled in accordance with the procedures specified in Requireme nt CIP-0083. Provide evidence of the 90 days prior to the 90 day notification .

CIP6 R7
Provide evidence of physical access logs for the implement ed logging solution(s) that demonstrat es 90 calendar days worth of logs . Provide evidence for the following dates: Date1 Date2 Date3 Date4 Date5

CIP7 R1
Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested. Provide evidence for the past year immediatel y prior to the 90 day notification .

CIP7 R2
For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified, provide a description of the port or service and identify the need to that port or service to be enabled

CIP7 R3
For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.

CIP7 R4
For each Cyber Asset selected, provide evidence of the implementi on of antivirus and malware prevention tools and testing and installation of signatures updates.

CIP7 R5.1.2

CIP7 R6

CIP 9 R1

Provide evidence of For each Cyber Asset List the audit trails of individual selected provide Recovery user account activity evidence that logs of plan that demonstrating 90 days system events related to covers the worth of logs/audit cyber security are selected trails. Provide evidence maintained and cyber for the following dates: reviewed. assets. Date1 Provide evidence for the Date2 following dates: Date3 Date1 Date4 Date2 Date5 Date3 Date4 Date5

Name Access Type

Personnel Type Group

Entity

TRAINING

2010 DATES or oldest on record Sequential number Name Access Type Responsible Registered Entity

2011 DATES

2012 DATES

Personnel Type Group

NING

PRA DATES

PRA CONTENTS (RFC to REDACTED complete) PRA 7 YR REDACTED PRA SAMPLE AUTHORIZ SS# CHECK CRIMINAL SAMPLE REQUESTED ATION (Y/N) CHECK RECEIVED (for (for most DATE (Y/N) most recent recent PRA) PRA) (Y/N) DATE

ATTENDA OLDEST NCE LOG ON REQUESTE RECORD D (Y/N)

MOST RECENT

NEXT

CRITICAL CYBER ASSET - AUTHORIZED CYBER ACCESS EMPLOYM CURRENT ANY ACCESS ACCESS DATE ENT STATUS - CHANGE DATE REVOCATI IF YES, NO GRANTED CHANGE TERMINAT ACTIVE / IN ACCESS CHANGE ON TERMINAT LONGER DATE IDENTIFIE ED FOR NON RIGHTS MADE REQUIRED ION DATE REQUIRED D CAUSE ACTIVE (Y/N) (Y/N) (Y/N) (Y/N)

CRITICAL CYBER ASSET - AUTHORIZED UNESCORTED PHYSICAL ACCES

CURRENT ANY ACCESS IF YES, DATE ACCESS AUTHORIZ STATUS - CHANGE DATE REVOCATI DATE GRANTED CHANGE REVOCATI ATION ACTIVE / IN ACCESS CHANGE ON IDENTIFIE DATE IDENTIFIE ON DATE DATE NON RIGHTS MADE REQUIRED D D ACTIVE (Y/N) (Y/N)

ED UNESCORTED PHYSICAL ACCESS EMPLOYM CIP 006 ACCESS ENT IF YES, R1.5 ENTITY RFC IF YES, NO ACCESS TERMINAT DATE Provide 1 TERMINAT LONGER REVOCATI COMMEN COMMEN ED FOR IDENTIFIE evidence TS TS ION DATE REQUIRED ON DATE CAUSE D file for all (Y/N) (Y/N) sampled personnel

CIP 007 R5 Provide 1 evidence file for all sampled personnel

Attachment "C" CIP Data List for Sampling Phase 3 Instructions

RFC Action Required : Select samples and populate the Device Sample and Personnel Sample tabs using approved methodology (and Device Sample Matrix and Personnel Sample Templates) and return to entity no later than sixty- five (65) calendar days prior to the scheduled review date of the Compliance Audit. Please complete the following worksheets: Device Sample (List of selected Cyber Assets and the associated Standards and Requirements merged with Device Sample Matrix) Pull required samples using approved methodology and merge with Device Sample Matrix. Change Device Sample tab color to Green prior to sending to entity. Cyber Asset Name - Name of the Cyber Asset Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides ESP Name - Name of ESP containing Cyber Asset PSP Name - Name of PSP containing Cyber Asset Vendor - Name of vendor for identified Cyber Asset Model - Model Name and Number of identified Cyber Asset IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Windows, NT, Linux, Unix, DB/App, N/A, etc. Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc. Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT, Corp Security, etc.) Cyber Asset Type (CCA, NCCA, AP, EACM, PACS) Responsible Registered Entity- For a combined audit of multiple registered entities Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and identification of terminated personnel or personnel role changes within the past six (6) months) Pull required samples using approved methodology and merge with Personnel Sample Template. Change Personnel Sample tab color to Green prior to sending to entity. Name - Name of individual Access Type - Should be Physical, Cyber, or Both

Personnel Type - Should be Employee, Contractor, Vendor or Other Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization change. Enter N/A if active employee and no personnel role and responsibility change within past six (6) months. Responsible Registered Entity- For a combined audit of multiple registered entities Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed) Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System

Attachment "C" CIP Data List for Sampling Phase 4 Instructions Entity Action Required : Complete the Device Sample and Personnel Sample tabs per below instructions and return to RFC no later than forty (40) calendar days prior to the scheduled review date of the Compliance Audit. Please complete the following worksheets: Device Sample (List of selected Cyber Assets and the associated Standards and Requirements) Please provide an evidence file reference for each Standard/Requirement column listed that is not "greyed out". It is preferred that each requirement will have one PDF file with the information contained within for all the samples within that requirement. Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and identification of terminated personnel or personnel role changes within the past six (6) months) Complete the required fields for each person For the columns CIP 6 R1.5 and CIP 7 R5, it is preferred that each requirement will have one file with the information contained within for all the samples within that requirement. In this file, please include the appropriate training records and redacted PRAs for the selected individuals. Colored Coded Tabs Entity populates green tabs Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in this information. Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates and Samples as appropriate Sequence of Completion Phase 1- RFC supplies Attachment C for entity to input required data. Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RFC via extranet Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and Personnel Sample tabs will be populated with requested samples) Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed)

Acronyms: EACM - Electronic Access Control and Monitoring AP - Access Point CCA - Critical Cyber Asset ESP - Electronic Security Perimeter NCCA - Non-Critical Cyber Asset PSP - Physical Security Perimeter PACS - Physical Access Control System

Date December 17, 2010 February 15, 2011 October 19, 2011 December 19, 2011

Name Bob Yates Bob Yates Bob Yates Kristie Purcell

Version Changes Number Initial release of Attachment C spreadsheet 1 Added type to Critical assets, critical cyber assets and non-critical cyber assets 2 Added a changes tab and instruction to gather the total population of changes from 10/1/2010 through the 90 notification. This will allow for sampling of changes for CIP-003 3 R6 Changed due date in instructions from 30 days to 75 days. 4 Added Asset Function field to Instruction and Critical Asset Tab; Added Vendor; Model; Platform or O/S; Function Performed; and Supporting Organization fields to the CCA, Non-CCA, ESP Access Points and ACM and Instruction tabs. Changed abbreviation to acronymns and added acronyms to the Instructions tab. Added examples to the worksheetts and formatted. 1) Changed field "Asset Function" to "Asset Type" on the CCA, NCCA, AP and ACM tabs for clarity; 2) Added filters on each worksheet to enable filtering capability for each tab/worksheet 3) Removed Changes tab 4) Added "Date of Termination" and "Date of Personnel Role Change" column to Personnel tab. 5) Added "Critical Asset" column to CCA, NCCA, AP and ACM tabs to map respective assets back to the Critical Asset. 6) Added additional examples to each of the worksheets 7) Updated the Instructions tab to reflect above changes. 8) Moved Instruction tab to be the first worksheet within workbook. 9) Moved the Personnel tab to be after ACM worksheet.

December 20, 2011

Rhonda Bramer

January 23, 2012

Rhonda Bramer

5.1

February 23, 2012 June 25, 2012 July 3, 2012 August 24, 2012 November 15, 2012 November 28, 2012

Todd Thompson John Kellerhals John Kellerhals John Kellerhals John Kellerhals John Kellerhals

5.2 5.3 5.4 5.5 6 6.1

Added a "Yes" or "No" column for "Virtual Machine" in the following tabs: Critical Cyber Assets, Non-Critical Cyber Assets, ESP Access Points and Access Control and Monitoring. Also updated the Instructions Tab to reflect the change above. Incorporated multiple sample sheets into this spreadsheet for ease of use. Added Responsible Registered Entity Columns to support combined audits Included feedback suggestions from entities Release including instructions for 4 phases Release including instructions for 4 phases