agenda standards committee and compliance and

RELIABILITY | RESILIENCE | SECURITY

Agenda Standards Committee and Compliance and Certification Committee Joint Meeting September 24, 2020 | 11:00 a.m. – 2:00 p.m. Eastern

Dial-in: 1-415-655-0002 | Access Code: 172 784 1574 | Meeting Password: Sept2020 Click here for: WebEx Access

Introduction and Chair’s Remarks

Welcome – Rob Manning, NERC Board of Trustees Member

NERC Antitrust Compliance Guidelines and Public Announcement

Agenda Items 1. Administrative - Secretary (WebEx Directions)

2. RSTC Organizational Structure and Process* - Inform - Greg Ford or David Zwergel

3. Align Implementation* - Update - Andy Rodriguez and Dee Humphries

4. Functional Model Task Force* - Update - John Allen and Todd Bennett

a. Functional Model Task Force Scope*

5. NERC Internal Audit of Reliability Standards Development Program* - Inform - Monica Bales

6. Project Management and Oversight Subcommittee (PMOS) - Update - Charles Yeung

7. Standards Committee Process Subcommittee (SCPS) - Update - Sean Bodkin

8. NERC Report on Cloud and Virtualization* - Discuss - Steven Noess and Lonnie Ratliff

9. Standards Efficiency Review* - Inform - John Allen and Chris Larson

10. Work Plan Highlights* (SC and CCC) - Inform - Todd Bennett and Scott Tomashefsky

11. Compliance and Standards Outreach - Inform - Steven Noess

*Background materials included.

https://nerc.webex.com/nerc/onstage/g.php?MTID=ec434d431e74c793cdb30aff64061155f


NERC Antitrust Compliance Guidelines I. General

It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another. The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC’s antitrust compliance policy is implicated in any situation should consult NERC’s General Counsel immediately. II. Prohibited Activities

Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions):

Discussions involving pricing information, especially margin (profit) and internal cost information and participants’ expectations as to their future prices or internal costs.

Discussions of a participant’s marketing strategies.

Discussions regarding how customers and geographical areas are to be divided among competitors.

Discussions concerning the exclusion of competitors from markets.

Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers.

Any other matters that do not clearly fall within these guidelines should be reviewed with NERC’s General Counsel before being discussed.

III. Activities That Are Permitted

From time to time decisions or actions of NERC (including those of its committees and subgroups) may have a negative impact on particular entities and thus in that sense adversely impact competition. Decisions and actions by NERC (including its committees and subgroups) should only be undertaken for the purpose of promoting and maintaining the reliability and adequacy of the bulk power system. If you do not have a

NERC Antitrust Compliance Guidelines 2

legitimate purpose consistent with this objective for discussing a matter, please refrain from discussing the matter during NERC meetings and in other NERC-related communications. You should also ensure that NERC procedures, including those set forth in NERC’s Certificate of Incorporation, Bylaws, and Rules of Procedure are followed in conducting NERC business. In addition, all discussions in NERC meetings and other NERC-related communications should be within the scope of the mandate for or assignment to the particular NERC committee or subgroup, as well as within the scope of the published agenda for the meeting. No decisions should be made nor any actions taken in NERC activities for the purpose of giving an industry participant or group of participants a competitive advantage over other participants. In particular, decisions with respect to setting, revising, or assessing compliance with NERC reliability standards should not be influenced by anti-competitive motivations. Subject to the foregoing restrictions, participants in NERC activities may discuss:

Reliability matters relating to the bulk power system, including operation and planning matters such as establishing or revising reliability standards, special operating procedures, operating transfer capabilities, and plans for new facilities.

Matters relating to the impact of reliability standards for the bulk power system on electricity markets, and the impact of electricity market operations on the reliability of the bulk power system.

Proposed filings or other communications with state or federal regulatory authorities or other governmental entities.

Matters relating to the internal governance, management and operation of NERC, such as nominations for vacant committee positions, budgeting and assessments, and employment matters; and procedural matters such as planning and scheduling meetings.


Public Meeting Notice REMINDER FOR USE AT BEGINNING OF MEETINGS AND CONFERENCE CALLS THAT HAVE BEEN PUBLICLY NOTICED AND ARE OPEN TO THE PUBLIC Conference call/webinar version: As a reminder to all participants, this webinar is public. The registration information was posted on the NERC website and widely distributed. Speakers on the call should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders. Face-to-face meeting version: As a reminder to all participants, this meeting is public. Notice of the meeting was posted on the NERC website and widely distributed. Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders. For face-to-face meeting, with dial-in capability: As a reminder to all participants, this meeting is public. Notice of the meeting was posted on the NERC website and widely distributed. The notice included the number for dial-in participation. Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders.


NERC Participant Conduct Policy

General Consistent with its Rules of Procedure, Bylaws, and other governing documents, NERC regularly collaborates with its members and other stakeholders to help further its mission to assure the effective and efficient reduction of risks to the reliability and security of the grid. Many NERC members and other bulk power system experts provide time and expertise to NERC, and the general public, by participating in NERC committees, subcommittees, task forces, working groups, and standard drafting teams, among other things. To ensure that NERC activities are conducted in a responsible, timely, and efficient manner, it is essential to maintain a professional and constructive work environment for all participants, including NERC staff; members of NERC committees, subcommittees, task forces, working groups, and standard drafting teams; as well as any observers of these groups. To that end, NERC has adopted the following Participant Conduct Policy (this “Policy”)for all participants engaged in NERC activities. Nothing in this Policy is intended to limit the powers of the NERC Board of Trustees or NERC management as set forth in NERC’s organizational documents, the NERC Rules of Procedure, or under applicable law. This Policy does not apply to the NERC Board of Trustees or the Member Representatives Committee.

Participant Conduct Policy All participants in NERC activities must conduct themselves in a professional manner at all times. This Policy includes in-person conduct and any communication, electronic or otherwise, made as a participant in NERC activities. Examples of unprofessional conduct include, but are not limited to, verbal altercations, use of abusive language, personal attacks or derogatory statements made against or directed at another participant, and frequent or patterned interruptions that disrupt the efficient conduct of a meeting or teleconference.

Additionally, participants shall not use NERC activities for commercial purposes or for their own private purposes, including, but not limited to, advertising or promoting a specific product or service, announcements of a personal nature, sharing of files or attachments not directly relevant to the purpose of the NERC activity, and communication of personal views or opinions, unless those views are directly related to the purpose of the NERC activity. Unless authorized by an appropriate NERC officer, individuals participating in NERC activities are not authorized to speak on behalf of NERC or to indicate their views represent the views of NERC, and should provide such a disclaimer if identifying themselves as a participant in a NERC activity to the press, at speaking engagements, or through other public communications.

Finally, participants shall not distribute work product developed during the course of NERC activities if that work product is deemed Confidential Information consistent with the NERC Rules of Procedure Section 1500. Participants also shall not distribute work product developed during the course of NERC activities if distribution is not permitted by NERC or the relevant committee chair or vice chair (e.g., an embargoed report), provided that NERC, or the committee chair or vice chair in consultation with NERC staff, may grant in writing a request by a participant to allow further distribution of the work product to one or more specified entities within its industry sector if deemed to be appropriate. Any participant that distributes

NERC Participant Conduct Policy 2

work product labeled “embargoed,” “do not release,” or “confidential” (or other similar labels) without written approval for such further distribution would be in violation of this Policy. Such participants would be subject to restrictions on participation, including permanent removal from participation on a NERC committee or other NERC activity.

Reasonable Restrictions on Participation If a participant does not comply with this Policy, certain reasonable restrictions on participation in NERC activities may be imposed as described below. If a NERC staff member, or committee chair or vice chair after consultation with NERC staff, determines, by his or her own observation or by complaint of another participant, that a participant’s behavior is disruptive to the orderly conduct of a meeting in progress or otherwise violates this Policy, the NERC staff member or committee chair or vice chair may remove the participant from a meeting. Removal by the NERC staff member or committee chair or vice chair is limited solely to the meeting in progress and does not extend to any future meeting. Before a participant may be asked to leave the meeting, the NERC staff member or committee chair or vice chair must first remind the participant of the obligation to conduct himself or herself in accordance with this Policy and provide an opportunity for the participant to comply. If a participant is requested to leave a meeting by a NERC staff member or committee chair or vice chair, the participant must cooperate fully with the request. Similarly, if a NERC staff member, or committee chair or vice chair after consultation with NERC staff, determines, by his or her own observation or by complaint of another participant, that a participant’s behavior is disruptive to the orderly conduct of a teleconference in progress or otherwise violates this Policy, the NERC staff member or committee chair or vice chair may request the participant to leave the teleconference. Removal by the NERC staff member or committee chair or vice chair is limited solely to the teleconference in progress and does not extend to any future teleconference. Before a participant may be asked to leave the teleconference, the NERC staff member or committee chair or vice chair must first remind the participant of the obligation to conduct himself or herself in accordance with this Policy and provide an opportunity for the participant to comply. If a participant is requested to leave a teleconference by a NERC staff member or committee chair or vice chair, the participant must cooperate fully with the request. Alternatively, the NERC staff member or committee chair or vice chair may choose to terminate the teleconference. At any time, a NERC officer, after consultation with NERC’s General Counsel, may impose a restriction on a participant from one or more future meetings or teleconferences, a restriction on the use of any NERC-administered listserv or other communication list, or such other restriction as may be reasonably necessary to maintain the orderly conduct of NERC activities. Before approving any such restriction, the NERC General Counsel must provide notice to the affected participant and an opportunity to submit a written objection to the proposed restriction no fewer than seven days from the date on which notice is provided. If approved, the restriction is binding on the participant, and NERC will notify the organization employing or contracting with the restricted participant. A restricted participant may request removal of the restriction by submitting a request in writing to the NERC General Counsel. The restriction will be removed at the reasonable discretion of the NERC General Counsel or a designee.

NERC Participant Conduct Policy 3

Upon the authorization of the NERC General Counsel, NERC may require any participant in any NERC activity to execute a written acknowledgement of this Policy and its terms and agree that continued participation in any NERC activity is subject to compliance with this Policy.

Guidelines for Use of NERC Email Lists NERC provides email lists, or “listservs,” to NERC stakeholder committees, groups, and teams to facilitate sharing information about NERC activities. It is the policy of NERC that all emails sent to NERC listservs be limited to topics that are directly relevant to the listserv group’s assigned scope of work. NERC reserves the right to apply administrative restrictions to any listserv or its participants, without advance notice, to ensure that the resource is used in accordance with this and other NERC policies. Prohibited activities include using NERC‐provided listservs for any price‐fixing, division of markets, and/or other anti‐competitive behavior. Recipients and participants on NERC listservs may not utilize NERC listservs for their own private purposes. This may include lobbying for or against pending balloted standards, announcements of a personal nature, sharing of files or attachments not directly relevant to the listserv group’s scope of responsibilities, or communication of personal views or opinions, unless those views are provided to advance the work of the listserv’s group. Any offensive, abusive, or obscene language or material shall not be sent across the NERC listservs. Any participant who has concerns about this Policy may contact NERC’s General Counsel. Version History

Version Date Revisions

1 February 6, 2019 Initial version

2 February 22, 2019 Clarified policy does not apply to Board or MRC Address participants speaking on behalf of NERC


RSTC Organizational Review Update and Recommendation

David Zwergel, Vice ChairCompliance and Certification and Standards Committees Joint MeetingSeptember 24, 2020

Agenda Item 2Standards Committee and

Compliance and Certification CommitteeSeptember 24, 2020

RELIABILITY | RESILIENCE | SECURITY2

Goals of RSTC Transition

• Set up the RSTC to deliver on the goals outlined in its charter• Maintain continuity in all ongoing, high-value work across the

subgroups • Capture best practices and synergies through the integration of

processes across the “legacy” committees • Clearly document roles and responsibilities and processes for

RSTC to improve clarity going forward and speed transition• Developing a model to support subgroups that is more

collaborative while maintaining alignment to overall NERC strategy

https://www.nerc.com/comm/RSTC/RelatedFiles/RSTC_Charter_approved20191105.pdf


Proposed Operating Model Overview

• Organize existing RSTC subgroups by Program Areas: Performance Monitoring Reliability and Security Assessment Risk Mitigation

• The Program Areas are NOT subcommittees but rather a simple way to organize work in distinct groups

• Sponsors would be assigned based on subgroup topics and work loads

• The Program Areas are supported by RSTC sponsors and NERC staff and would be responsible for managing work flow/ deliverables

• Security is expected to be a consideration for each subgroup where appropriate


Proposed Operating Model

Reliability and Security Assessment

Focus: Emerging Issues

Real-Time Operations

Subcommittee

Performance MonitoringFocus: monitoring and

analysis

Security Integration and

Technology Enablement

Subcommittee (New)

Reliability and Security Assessment Sponsors

Performance Monitoring Sponsors

Reliability Assessment

Subcommittee

Event Analysis Subcommittee

Performance Analysis

Subcommittee

Resources Subcommittee

Risk Mitigation Sponsors

IRPW

G

SPID

ERW

G

SPC

WG

EMPT

F

GM

DTF

Risk MitigationFocus: Mitigate existing

and emerging risks

SWG

SCW

G

LMW

G

PPM

VTF

EGW

G

SRTWG


Subgroups

Committee Subgroups

Scope Duration Approvals Leadership

Subcommittee• Oversee broad processes• Manage cyclical

deliverablesLong-term

Consensus seeking; vote as specified by its scope

Nominated by subcommittee; Approved by RSTC Leadership

Working Group

• Oversee specific data systems

• Support specific initiatives with broader interaction with other subgroups/topics

• Support a cyclical process• Support parent

subcommittee

Long-term/ mid-term

Consensus seeking; non-voting

Nominated by working group, parent subcommittee, or direct appointment by the NERC Technical Committees; approved by RSTC Leadership

Task Force

• Support a specific initiative• Direct, often only one

deliverable• Support parent

subcommittee

Short-term Consensus seeking; non-voting

Nominated by task force, parent subcommittee, or direct appointment by the NERC Technical Committees; approved by RSTC Leadership


Proposed Operating ModelPerformance Monitoring

Reliability and Security Technical Committee

(RSTC)

Executive Committee

Performance Monitoring


Subcommittee (RTOS)


(RS)

Reserves Working Group

(RWG)

Frequency Working Group

(FWG)


(EAS)

Energy Management

Systems Working Group

(EMSWG)


Subcommittee (PAS)

Failure Modes and

Mechanisms Task Force

(FMMTF)

Synchronized Measurements Working Group

(SMWG)

Reliability Operations

Coordination

Operating Reliability

Subcommittee (ORS)

Balancing and Frequency Response


(RS)

Inadvertent Interchange

Working Group (IIWG)


(RWG)


(FWG)

Event Analysis


(EAS)

Energy Management


(EMSWG)

Failure Modes and

Mechanisms Task Force

(FMMTF)

Performance Analysis and

Data Collection


Subcommittee (PAS)

GADS Working Group

(GADSWG)

TADS Working Group

(TADSWG)

DADS Working Group

(DADSWG)

MIDAS Working Group

(MIDASWG)

Planning and Modeling

Synchronized Measurements Subcommittee

(SMS)

Move to NERC User Groups Retire GADS Working

Group (GADSWG)

TADS Working Group

(TADSWG)

DADS Working Group

(DADSWG)

MIDAS Working Group

(MIDASWG)

Inadvertent Interchange

Working Group (IIWG)


Proposed Operating ModelReliability and Security Assessment


(RSTC)

Executive Committee



Subcommittee (RAS)

Probabilistic Assessment

Working Group (PAWG)



Subcommittee (SITES) - New

Adequacy Assessments


Subcommittee (RAS)

Probabilistic Assessment Working

Group (PAWG)


• Reliability and Security Assessment Program Area• Vetting technology landscape• Identify barriers to adoption of technology• Providing a forum for advancing and integrating new technology• Considering cyber and physical threats more directly in

planning, operations, design, and restoration activities Identify solutions that eliminate or mitigate potential reliability, security,

and resilience risks to the BPS that could result from an increased cyber-attack surface or improperly implemented technologies

• Identifying and considering potential security threats and emerging risks e.g., DERMS, inverters, supply chain, PMUs

Security Integration and Technology Enablement Subcommittee (SITES)


To be retired in Early 2021E-ISAC

Proposed Operating ModelRisk Mitigation


(RSTC)

Executive Committee

Risk Mitigation

Supply Chain Working Group

(SCWG)

Security Working Group (SWG) – former

CIWG

Security and Reliability Training

Working Group (SRTWG) -

merged

System Planning Impacts from DER Working

Group (SPIDERWG)

Inverter-Based Resource

Performance Working Group

(IRPWG)

Electric-Gas Working Group

(EGWG)

EMP Task Force (EMPTF)

Load Modeling Working Group

(LMWG)

Power Plant Modeling and Verification Task Force (PPMVTF)

Issue-FocusedPhysical and Cyber Security


(SCWG)

Grid Exercise Working Group

(GEWG)

Physical Security Advisory Group

(PSAG)

Compliance Input Working Group (CIWG)

Security Training Working Group

(STWG)

Planning and Modeling

Load Modeling Task Force

(LMTF)

Power Plant Modeling & Verification Task Force (PPMVTF)

System Protection and

Control Subcommittee

(SPCS)


Group (SPIDERWG)

GMD Task Force (GMDTF)


Performance Task Force

(IRPTF)


(EGWG)

EMP Task Force (EMPTF)

Training and Outreach

Reliability Training

Working Group (RTWG)

Oversight Moved to E-ISACE-ISAC Physical Security

Advisory Group (PSAG)

Grid Exercise Working Group

(GEWG)

GMD Task Force (GMDTF)


Control Working Group (SPCWG)

Systems Analysis and

Modelling Subcommittee

(SAMS)

Retire Systems Analysis and

Modelling Subcommittee (SAMS)


• Risk Mitigation Program Area• Tactical scope focused on short term security and compliance

issues e.g., SARs, recently disclosed vulnerabilities, RISC report items

• Review and develop Security Guidelines and Compliance Implementation Guidance as needed

• Provides expert resources for RSTC groups that need input regarding the security aspects of their respective group’s activities

• Coordinate with SITES when security issue impacts operations or planning

Security Working Group (SWG)


Proposed Operating Model – 23 subgroups


(RSTC)

Executive Committee

Performance Monitoring Risk Mitigation


(SCWG)

Security Working Group (SWG)*

Security and Reliability

Training Working Group (SRTWG)



Subcommittee (RAS)*




Group (SPIDERWG)*



(IRPWG)*


(EGWG)*

EMP Task Force (EMPTF)*



Subcommittee (SITES)*


(LMWG)

Power Plant Modeling and Verification Task Force

(PPMVTF) – to be retired early

2021

4 sponsors* 2 sponsors*6 sponsors*


Control Working Group (SPCWG)*


Subcommittee (RTOS)*


(RS)*


(RWG)


(FWG)


(EAS)*

Energy Management


(EMSWG)


Subcommittee (PAS)*

Failure Modes and

Mechanisms Task Force (FMMTF)


(SMWG)

GMD Task Force (GMDTF) – to be

retired early 2021

Outlined groups report directly to RSTC.


What Would It Look Like for Sponsors?

Sponsors’ Assignments• Following organizational review, RSTC Sponsors

will be assigned by the RSTC Executive Committee to each subgroup* with regards to diversity of expertise.

• Sponsors’ assignments will be refreshed annually by the RSTC Executive Committee following review of the subgroups

Sponsors’ Responsibilities• Sponsors are members of the RSTC but not

members of any subgroup • Attend at least 2 subgroup meetings per year • Schedule quarterly calls with program area’s

subgroup leadership and NERC Coordinators to review status reports and prepare for RSTC meetings

• Notify the RSTC Executive Committee if any topics arise which should be on a RSTC agenda

• Advocate and support discussion for subgroup-related topics that arise during RSTC meetings



Subcommittee (RAS)*





Subcommittee (SITES)

Risk Mitigation


(SCWG)

Security Working Group (SWG)*

Security and Reliability

Training Working Group (SRTWG)


Group (SPIDERGW)*



(WG)*Electric-Gas

Working Group (EGWG)*

EMP Task Force (EMPTF)*


(LMWG)

Power Plant Modeling and

Verification Task Force (PPMVTF) – to be retired in

early 2021)


Control Working Group (SPCWG)*

GMD Task Force (GMDTF) – to be retired in early

2021)

Performance Monitoring


Subcommittee (RTOS)*


(RS)*


(RWG)


(FWG)

Event Analysis

Subcommittee (EAS)*Energy

Management Systems

Working Group (EMSWG)


Subcommittee (PAS)*

Failure Modes and

Mechanisms Task Force (FMMTF)


(SMWG)

Subgroups identified above by “*”


What a Sponsor is NOT

Sponsors are NOT:• A Chair of the working groups, dictating or telling working

groups what to do• Working group members• Attempting to push their own personal agendas • Representing the specific organization from which we come

(NERC, Regions)


Subgroup Chair

The Subgroup Chair:• Provides leadership, and encourages each group member to be a leader• Ensures group is creative and innovative, maintain functionality and focus on goals• Facilitates conversations so each group member has the opportunity to contribute• Achieves desired results for each meeting, with recommendations and path forward• Ensures Charter guidelines are met, with expected and timely results• Assures decisions reflect the group’s point of view rather than opinions of Chair• Is accountable for and endorses the outcomes of the group • Maintains powerful and timely communications with other working group Chairs,

Sponsors, and others who benefit from the work of their group • Seeks input from group for proper preparation of agenda and meeting materials


RSTC/RISC Coordination


Transition Timeline Update

Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Processes: Develop consolidated and summary workplanProcesses: Assign subgroup sponsors and communicate assignments

Strategy: EC Defines Draft Strategic Objectives

Strategy: Development of RSTC Operational PlanProcesses: Refine recommendations based on RSTC feedback

ActivityDevelop Transition Task Force and High-Level Approach

RSTC Meeting to Review / DiscussDraft RecommendationsOrganization: Review of Subgroups –identify future-state structure

RSTC Meeting to Review / Approve Recommendations

Processes: Develop detailed roles and responsibilities for RSTC / subgroupleadership

RSTC Meeting to Review / Approve Recommendations

Metrics: EC Identifies success metrics for RSTC and sub-groups based on strategic plan

Processes: Develop sponsor expectations

July 28 Closed RSTC meeting


Align and ERO SELProject Update

Dee Humphries, Director, Project Management OfficeCCC and SC Joint MeetingSeptember 24, 2020


Compliance and Certification Committee September 24, 2020


• General Align and ERO SEL Update• Phase of Align • Registered Entity Testing – Feedback• Timeline• Transition Plans

Agenda


Align – Release 1

• Testing complete• Regional adoption workshops in progress (pre-training)• Training materials near completion (end of September)• Regional training commences November• Registered entity training scheduled for Q1


Align Release 1: What to expect as a registered entity?

Stakeholder Group

Release 1 Functionality• Create and submit Self-Reports and Self-Logs• Create and manage mitigating activities

(informal) and Mitigation Plans (formal)• View and track open Enforcement Actions

(EAs) resulting from all monitoring methods• Receive and respond to Requests for

Information (RFIs)• Receive notifications and view dashboards on

new/open action items• Generate report of standards and requirements

applicable to your entity• Manage user access for your specific entity• Manage evidence supporting R1 functionality

securely via separate Evidence Locker(s)

Registered Entities


• Compliance Planning (i.e., Risk, CMEP Implementation Plan, Inherent Risk Assessment, Internal Controls Evaluation, Compliance Oversight Plan)

• Compliance Audit• Spot Check• Compliance Investigations• Complaints• Expand use of evidence lockers to

include evidence submitted for these activities

• Technical Feasibility Exceptions (TFEs)

• Periodic Data Submittals• Self-Certifications• Additional enhancements identified

from R1 as needed• CFRs, JROs and Attestation in Align• Expand use of Evidence Lockers to

include evidence submitted for these activities

Note: The monitoring methods above will be managed in existing systems during the gap between R1 and R2

Align Future Releases: What to expect?

Release 2 FunctionalityQ2 2021

Release 3 FunctionalityQ4 2021


• Highly secure, isolated, on-premises environments Collect and protect evidence Enable submission by authorized and authenticated entity users Provide compartmentalized analysis of evidence in temporary, isolated,

disposable environments Does not interface with any other systems

• Evidence in these environments is: Encrypted immediately upon submission Securely isolated per entity Never extracted Never backed up Subject to proactive and disciplined destruction policy

Evidence Lockers: What are they?


• NOT an FTP site• NOT a just a SharePoint site or document repository• NOT simple or inexpensive

Evidence Lockers: What are they NOT?


Evidence Management Guiding Principles

• All registered entity-provided evidence, unless prohibited by a standard, will go into the registered entity or ERO SEL All registered entity lockers must meet ERO SEL functional requirements

• ERO Enterprise workflow and work products will be in the ERO Enterprise Align tool.

• The ERO Enterprise will enhance work products (e.g., working papers) to support conclusions without the need to store data for extended periods, minimizing data protection risk.

NOTE: The Align team will achieve this through training, guidance, oversight activities, and other outreach.


• Yes; however, they must be available and validated before they are authorized for use for CMEP activities as per the ERO SEL functional requirements. Analysis tools availability (e.g., NP-View, RAT-STATS, MS Office, Adobe

Acrobat) Assurance of data integrity CEA login through NERC’s federated

authentication services

• The retention obligation does not change (e.g., the requirement still exists for CEA access to evidence if the locker is retired).

Evidence Lockers: Can registered entities build them?


Align and ERO SEL R1 Timeline (As of September 2020)

R1 Regional Adoption Workshops

(August – October)Workshops focused on

preparing the regions for R1

R1 Train the Trainer (TTT)(October)

Prepare Training SMEs to facilitate regional staff and registered entity training

R1 Initial Regional Align Training

(November – January)Regions begin to conduct initial training for staff on use of Align focused on the changes to internal regional

business processes

R1 TTT – Align Refresher and ERO SEL

(January – February)Walk through TTT materials

for ERO SEL and provide Align refresher

R1 Registered Entity Training –Align and ERO SEL(February - April)

Regions continue to conduct training for regional staff and

begin training for entities

ERO Enterprise Staff

Registered Entities

AUDIENCE IMPACT KEY

R1 Go Live NERC, MRO and TRE

(March 2021)Initial Pilot Go Live

R1 Go Live Remaining Regions(April – May 2021)


Release

3

Align Release Overview

Q4 2021

Release

2Q2 2021

Release

1Q1 2021

Align and Evidence Locker(s)


Align Registered Entity Testing

• Concluded in July• What was tested Self-report, mitigation and

enforcement features Workflows and business rules Dashboards Notifications

• 20 companies participated


Registered Entity Testing Feedback

• Overall positive experience• Acknowledged the progress from earlier demos of Align• Complementary of the training materials (videos and quick reference

guides)• Requested a similar opportunity to test the ERO SEL when ready• Requested more engagement around Standards reporting • Some expressed disappointment that there are still 2 systems (Align

and ERO SEL) but understand the business case • Approximately 50 enhancement requests received; will be considered

for future releases• Defects were identified and scheduled for resolution/disposition


Legacy System Transition

• Data migration strategy determines transition (DRAFT)Function Release 1 Release 2 Release 3 Legacy Systems Final Sunset

New Self Reports and Self Logs Align Align Align AlignNew Findings, Enforcement Actions,

and Mitigations (Align Align Align Align

Open Enforcement Actions and Mitigations

Legacy Systems Legacy Systems Migrated to Align Align

Mitigation plans (documents) Legacy Systems Legacy SystemsRegional Archive Systems, if desired (these should already be part of the

filed record, correct?)

Regional Archive Systems, if desired (these should already be part of the filed record, correct?)

ERO Metrics (data to support trending and analysis for CMEP Annual Report)

CRATS & Align CRATS & Align Migrated to Align Align

Entity Metrics (data to support trending an analysis at the Entity Level -

i.e., information about the entity - analysis of compliance history - but

not documents, work papers, or evidence)

Legacy Systems2018 and newer in Align, Legacy

Systems for 2017 and earlier2015 and newer in Align, Legacy

systems for 2014 and EarlierAlign

Disposition documents/Settlement Agreements

Legacy Systems Legacy SystemsRegional Archive Systems, if desired (these should already be part of the

filed record, correct?)

Regional Archive Systems, if desired (these should already be part of the filed record, correct?)

Issue New Self Cert Questionnaires Legacy Systems Align Align AlignIn-Progress Self Certs Legacy Systems Legacy Systems Migrated to Align (if any) Align

New Periodic Data Submittals Legacy Systems Align Align AlignIn Progress Data Submittals Legacy Systems Legacy Systems Migrated to Align (if any) Align

New TFEs Legacy Systems Align Align AlignExisting TFEs Legacy Systems Migrated to Align Align Align

New Compliance Planning Information (IP, IRA, ICE, COP, Audit Schedules)

Legacy Systems Legacy Systems Align Align

Existing Compliance Planning Information (IP, IRA, ICE, COP, Audit

Schedules)Legacy Systems Legacy Systems Legacy Systems Migrated to Align

New Audits, Spot Checks, Investigations

Legacy Systems Legacy Systems Align Align

Scheduled/Planned Audits, Spot Checks, Investigations

Legacy Systems Legacy Systems Legacy Systems Migrated to AlignPlan

ning

, Risk

, and

Pro

cess

Man

agem

ent D

ata

Viol

atio

n Da

ta (F

indi

ngs,

Enf

orce

men

t Act

ions

, Miti

gatio

ns)


Transition – Supporting Material

• Start/Stop/Continue guides will be available for registered entities

Start/Stop/Continue

What should you start doing?

What should you continue doing?

Additional Details

What should you stop doing?

• Existing Registered Entities will maintain registration information (e.g., PCC/PCO/ACC contact changes, adding Registration Scopes, etc.) in both CORES (to feed Align) and in existing tools (e.g., WebCDMS, CITS) for the duration of the Align implementation

• For new Registered Entities, contact information and registration changes will be made in CORES and the regions will be responsible for updating contact information and registration in CITS, CDMS

• For existing entities, registration changes will be made in CORES and contact changes will be made in CITS or CDMS

• If your entity is approved for self-logging, coordinating self-logging activities/expectations with your regional entity point of contact(s)

• Performing your Self-Report process in Align • Performing your enforcement activities (e.g., Violation Processing, Dismissals,

CEs, FFTs, and Settlement/NOCV processes) in Align • Performing your mitigation activities & Mitigation Plan processes, including

• Maintaining registration information (e.g., PCC changes, asset changes, etc.) in existing tools (E.g., WebCDMS, CITS) for the duration of the Align implementation

• Performing all processes related to Self-Certifications, Periodic Data Submittals, and Technical Feasibility Exceptions using existing tools

• Performing all processes related to Compliance Audits, Spot Checks, Compliance Investigations and Complaints using existing tools

For noncompliance that was submitted into CITS/CDMS • Performing your enforcement activities (e.g., Violation Processing, Dismissals,

CEs, FFTs, and Settlement/NOCV) using existing tools (e.g., WebCDMS, CITS) • Performing your mitigation activities & Mitigation Plan processes, including

mitigation tracking, using existing tools (e.g., WebCDMS, CITS)

• The Align Release 1 Start, Stop, Continue Executive Summary provides only high-level information on process, terminology, and tool changes

• Please see the section below for detailed information on what processes will be completed in Align vs. existing tools for Self-Log & Self-Report, Enforcement, Mitigation, Self-Certification, Periodic Data Submittals, TFEs, and Compliance processes

For noncompliance that was submitted into CITS/CDMS • Performing your Self-Report process using existing tools (e.g., WebCDMS, CITS) • Submitting evidence through legacy tools


Functional Model Task Force (FMTF) UpdateJohn Allen, Co-Chair, Compliance & Certification CommitteeTodd Bennett, Co-Chair, Standards CommitteeSeptember 24, 2020




Timeline

Previous Actions• In 2019, leadership of the Standards Committee (SC), the

Compliance and Certification Committee (CCC), Technical Standing Committees, Functional Model Advisory Group (FMAG) and NERC management considered next steps related to the Functional Model (FM), the group determined the most prudent course of action was to retire the FM.

• The SC voted to archive the FM and Functional Model Technical Documents in September 2019.


Commitment

CCC and SC leadership committed to: • Consider concepts of the registered entity functions that are

captured exclusively in the Function Model that may need to be incorporated and maintained in the Organization Registration and Certification Manual and the Compliance Registry Criteria by the Organization Registration and Certification Subcommittee (ORCS).

• Consider any gaps in Registry Criteria from reliability functions and tasks performed by functional entities not currently considered in the Registry Criteria.


FMTF Scope

FMTF Purpose• NERC CCC has a role to provide stakeholder feedback to NERC

related to Enterprise Programs, Standards adherence and Enterprise Tools.

• NERC CCC FMTF will execute this role to accomplish the previous commitments of the CCC & SC leadership.

• FMTF is directed by the ORCS of the CCC in conjunction with the SC.


FMTF Scope

Purpose• The FMTF will collaborate with NERC on these activities to

ensure an open and transparent discussion is available around these topics for consideration.

• The FMTF will perform any necessary analysis through March 2021.

• If the FMTF extends beyond this date, the Compliance and Certification Committee Executive Committee (CCCEC) will evaluate the scope and work with the ORCS or FMTF to determine appropriate actions.


The FMTF will provide suggestions on issues for discussion and recommendations to CCC for consideration as follows: • Gather information on the Functional Model retirement issues. Identify support needs and use CCC subcommittees or individual members

that have the expertise to review the issues. Initiate or request FMTF discussions as issues are identified. Identify issues representing specific concerns quickly and facilitate swift

resolution or communications.

• Develop suggested recommendations related to the issues. • Present work outcomes to the CCC for awareness.

Future Actions


Membership• ORCS Members – John Allen, Thomas McDonald, Patti Metro,

Jody Green, James Crawford, Nicole Mosher, Steve McElhaney, Jami Young

• ORCS Active Participants (Observers) – Christina Bigelow• ORCS Chair – Keith Comeaux• ORCS Vice Chair - Greg Campoli• Standards Committee Participants – Todd Bennett• CCC Chair (optional) – Jennifer Flandermeyer• CCC Vice Chair (optional) - Scott Tomashefsky

Membership


FMTF Actions to Date• Establishment of Co-Chairs• Kickoff meeting September 2nd• Gap analysis FMTF survey in draft• NERC Extranet site in development• Next meeting TBD

FMTF Actions

Agenda Item 4(i) Standard Committee and


Functional Model Task Force Scope

Purpose The North American Electric Reliability Corporation (NERC) Compliance and Certification Committee (CCC) has a role to provide stakeholder feedback to the Electric Reliability Organization (ERO) related to Enterprise Programs, Standards adherence and Enterprise Tools. The NERC CCC Functional Model Task Force (FMTF) will execute the CCC role to identify and address potential gaps with the archival of the Functional Model (FM) and consideration of the robustness of the Registry Criteria related to functional registration tasks and obligations. This task force will be directed by the Organization Registration and Certification Subcommittee (ORCS) of the CCC in conjunction with the NERC Standards Committee. The FMTF will collaborate with the ERO on these activities to ensure an open and transparent discussion is available around these topics for consideration. The FMTF will perform any necessary analysis through March 2021. If the FMTF extends beyond this date, the Compliance and Certification Committee Executive Committee (CCCEC) will evaluate the scope and work with the ORCS or FMTF to determine appropriate actions.

Roles and Activities In 2019, the ad hoc group was formed of the leadership of the Standards Committee (SC), the Compliance and Certification Committee (CCC), Technical Standing Committees, Functional Model Advisory Group (FMAG) and NERC management to consider next steps related to the Functional Model, the group determined the most prudent course of action was to retire the FM. The Standards Committee voted to archive the FM and Functional Model Technical Documents (FMTD) in September 2019. At that time the CCC and SC leadership committed to:

• Consider concepts of the registered entity functions that are captured exclusively in theFunction Model that may need to be incorporated and maintained in the OrganizationRegistration and Certification Manual and the Compliance Registry Criteria by theOrganization Registration and Certification Subcommittee (ORCS).

• Consider any gaps in Registry Criteria from reliability functions and tasks performed byfunctional entities not currently considered in the Registry Criteria.

The FMTF will provide suggestions on issues for discussion and recommendations to CCC for consideration as follows:

1. Gather information on the Functional Model retirement issues.

a. Identify support needs and use CCC subcommittees or individual members that havethe expertise to review the issues.

b. Initiate or request FMTF discussions as issues are identified.

c. Identify issues representing specific concerns quickly and facilitate swift resolutionor communications.

2. Develop suggested recommendations related to the issues.

3. Present work outcomes to the CCC for awareness.

Membership The FMTF membership will be comprised of those CCC or ORCS members and observers appointed by the CCC Chair. It is desired and highly encouraged that NERC and Regional Entity management participate.

1. Composition

a. ORCS Members

b. ORCS Active Participants (Observers)

c. ORCS Chair

d. ORCS Vice Chair

e. Standards Committee Participants

f. CCC Chair (optional)

g. CCC Vice Chair (optional)

2. Leadership

a. A Chair will be appointed from the FMTF membership. A Vice-Chair may be appointed if helpful to facilitate the task force deliverables.

3. Observers

a. The FMTF Chair may invite observers to participate in meetings, which may include additional NERC or Regional Entity staff, as well as other CCC or ORCS members (e.g., CCC subcommittee representatives). Observers may actively participate in the discussion and FMTF deliverables.

Meetings The FMTF meetings will be scheduled based on workload, as determined by the Chair or members. Due to the short duration of the FMTF, it is likely meetings will be monthly and will be conducted by conference call. Meetings may also occur in conjunction with the regular CCC meetings. The FMTF meetings will be open to other participants. The FMTF or ORCS Chair will approve this participation and work with the CCC Chair for any necessary appointments.


NERC Internal Audit of Reliability Standards Development ProgramMonica Bales, Internal Audit and Corporate Risk ManagementSeptember 24, 2020




Internal Audit Process

Audit Planning

Audit Execution

Audit Reporting Wrap-up

• Various Input• Meetings with

Management • Scope and

Objectives• Logistics

• Audit procedures• Review evidence• Identification of

observations, if applicable

• Compilation of audit results –NO SURPRISES

• Managementresponses

• Administrative activities

• Finalize and file working papers


• Audit Universe – collection of all audit units that are within the scope of internal audit

• Combination of: Business units, processes, systems, programs etc. Key risks or key controls Subjective process

• Benefits of Audit Universe Provides improved knowledge of all parts of the organization (risks,

controls, strategies) to determine control gaps or duplicated efforts Focus on different ways to assess risk – leads to audit plan

Building the Audit Scope


• What is a risk-based audit? Assess the importance and performance of each area audited Use the results to devote time and resources to the critical business areas Methodology that links internal auditing to an organization's overall risk

management framework.

• Main concept Reduce audit risks

• Benefits Better understanding of business and its environment Increased chance of achieving audit objective

Risk-based Audit Approach


• CCCPP-003: Monitoring Program for NERC’s RS Development Program

• Confidentiality and non-disclosure agreements• Complete NERC auditor training• Involved with audit planning• Observe NERC staff interviews• May provide questions and advice to auditors during audit• Do not review audit evidence• Review report and audit observations

CCC Roles and Responsibilities


• Audit is required by Section 405 of the ROP• Includes Section 300, Appendix 3A, 3B and 3D• Audit occurs once every three years; prior audit 2017• Current audit timeframe July 1, 2017 through June 30, 2020

Standard Processes Audit Scope


• Reporting Audit report is publicly posted on NERC website after non-compliance

items have been remediated Draft audit report should circulate in October All observations vetted thru NERC staff before reported Report provided to CCC November Meeting; EWRC Q1 2021 Management provides updates on remediating audit findings twice a year

until the finding is closed

Reporting


Cloud Computing Update

Lonnie J Ratliff, Senior Manager Cyber and Physical Security AssuranceSteven Noess, Director of Regulatory ProgramsJoint SC/CCC MeetingSeptember 24, 2020

Agenda item 8Standards Committee and



• Virtual and cloud computing resources are becoming increasingly prevalent. NERC supports technology enhancements consistent with a reliable and

secure bulk power system. Emerging paradigm is transitioning fast and beyond current Reliability

Standards framework. Future must balance innovation, managing cyber risks, and relevant

regulation.

• NERC encourages innovative approaches to Reliability Standards framework to manage and mitigate continuing cyber risks.

Today’s Landscape


• Four future-state use cases Cloud or Virtualization Storage of Information in the Cloud Cloud-based Electronic and Physical Monitoring Cyber Assets Cloud-based BES Operations

• Existing NERC support BCSI Practice Guide Supply Chain Study Standards Development Support (Projects 2016-02 and 2019-02)

• Other Considerations and Looking Forward

Discussion Questions / Topics


Use Case 1 - Cloud or Virtualization

Reference: www.lettoknow.com


Virtualization


Cloud Computing


“Cloud” is a Spectrum not “Either/Or”


• ERO Support Ability to use now ERO Enterprise Practice Guideo Focus on data and ability “to obtain and use”

• Moving Forward SDT Project 2019-02

Use Case 2 – Cloud Usage of BCSI


• Use Case 3 – Electronic and Physical Monitoring Devices that are logging access (provides history/forensics) Reliability Standards o Cyber asset-centric approacho Access vs logging

Cloud logging and monitoring can provide enhanced detection awareness Standards Development activity still shaping consensus

Use Case 3–Electronic and Physical Monitoring


• Use Case 4 – BES Operations Operations (Access control, SCADA systems, etc.) Increased use of third-party providers (movement from on-premises

devices to virtual cloud computing) Heavy reliance on network communications Possibility of enhanced resilience

• Reliability Standards Existing device-centric framework well-suited for on-premises solutions NERC supports objective-based framework to address transitioning

paradigm

Use Case 4 – BES Operations


• Third-party certification Controls testing and reporting Contrast with specific NERC Reliability Standards requirements

• Support industry to enable new paradigms in Reliability Standards

Looking Ahead


Standards Efficiency Review

John Allen, Manager - Reliability Compliance, City Utilities of SpringfieldChris Larson, Senior Standards Developer, NERC

September 24, 2020




• Project 2018-03 SER Retirements• June 7, 2019, NERC staff submitted a petition, FERC Docket

Number RM19-17-000, for the approval of approximately 84 Requirement retirements in the INT, FAC, PRC, and MOD Reliability Standards families

• In a NOPR, FERC proposed approving most recommended retirements, but asked for clarification on a few proposed retirements

• No further action required by SER

SER Phase 1

https://www.nerc.com/pa/Stand/Pages/Project-2018-03-Standards-Efficiency-Review-Retirements.aspx


• CIP Standards Efficiency Review• Drafting justification and SAR to retire time-based evidence

retention requirements Post draft SAR for public comment, estimated Q4 2020 Make necessary revisions and submit to NERC and SC for approval

• CIP SER team will evaluate next steps for modifications recommendations

CIP SER

https://www.nerc.com/pa/Stand/Pages/CIP-Standards-Efficiency-Review.aspx


• SER Phase 2 website• SER work has concluded, recommendations were endorsed• NERC staff will continue to pursue changes to ROP language and

maintain dialogue with SC, CCC, and FERC• Post proposed ROP revisions for public comment Q3-Q4• No further action required by SER

SER Phase 2: Evidence Retention

https://www.nerc.com/pa/Stand/Pages/Standards-Efficiency-Review.aspx


• After receiving comments from industry on draft SAR ending May 27, a team of SER members reviewed industry comments, made edits to the SAR, and submitted to NERC on June 23

• Most comments dealt with clarification of scope and distinguishing that PER-005 revisions would not be included

• NERC staff is reviewing SAR and plans to submit to SC Q4 2020 or Q1 2021

• Coordination needed with Project 2019-06 Cold Weather SAR DT

SER Phase 2: Ops Data Simplification


• Retool the concept and recommended actions from original proposal

• Approach more broadly compared to updating a standards template; key consideration of how to minimize the need to have a P81 or SER process every 3-5 years

• Update SER Advisory Group in Q3-Q4 with next steps to follow

SER Phase 2: Prototype Standard


Standards Committee 2020-2022 Strategic Work Plan

Todd Bennett, Vice Chair, Standards CommitteeSeptember 24, 2020




2020 – 2022 SC Strategic Work Plan

Location

https://www.nerc.com/comm/SC/Documents/2020-2022%20SC%20Strategic%20Work%20Plan.pdf


Introduction

This Standards Committee (SC) Strategic Work Plan (Plan) focuses Standards development activities on:• Addressing FERC directives, • Continuing periodic reviews, • Addressing emerging risks using input from various sources,

including the Reliability Issues Steering Committee (RISC).

The SC will continue: • Overseeing standards grading activities, • Prioritizing standards development activities.


Vision & Mission

Vision• A comprehensive body of Reliability Standards collectively

achieving an adequate level of reliability and promoting reliable operation of the North American bulk power system.

Mission• Manage and oversee development of a comprehensive set of

Reliability Standards aligned with NERC’s strategic goals through open and inclusive processes and procedures.


Guiding Principles• The details of the goals and objectives for 2020-2022 appear in

the RSDP.• Promote and implement a collaborative working environment

with other NERC Standing Committees, NERC Standards staff, stakeholders, and standard drafting teams.

• Execute the Standards development process for effective and efficient use of NERC and industry resources.

• Promote and take a leadership role on consensus-building activities.

Guiding Principles


Work Plan• Task 1 - Periodic Reviews• Task 2 - Standards Grading• Task 3 - Transition of Guidelines and Technical Basis to Technical

Rationale• Task 4 - Standards Committee Process Subcommittee (SCPS) • Task 5 - Fourth Quarter Review of 2020-2022 SC Strategic Work

Plan • Task 6 - Standards Efficiency Review

Work Plan