attachment c cip

7/28/2019 Attachment C CIP

1/42

Attachment "C" CIP Data List for Sampling

Sequence of Completion

Phase 1- RFC supplies Attachment C for entity to input required data.

Phase 2- Entity completes the three green colored tabs: Critical Assets, Cyber Assets, and Personnel and submits to RFC via

extranet. See Phase 2 instructions for more details.

Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and

Personnel Sample tabs will be populated with requested samples)

Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed)

RFC Action Requir ed:

RFC supplies the Attachment C to the entity as part of the 90 day notification package. The CIP evidence list (Yellow Tab) is

customized for the entity audit scope.

Colored Coded Tabs

Entity populates green tabs

Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in

this information.

Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due datesand Samples as appropriate

Acronyms:

EACM - Electronic Access Control and Monitoring

AP - Access Point

CCA - Critical Cyber Asset

ESP - Electronic Security Perimeter

NCCA - Non-Critical Cyber Asset

PSP - Physical Security Perimeter

PACS - Physical Access Control System

Next Steps:

After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling methodology

to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send

Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed

Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.


2/42

Standard Requirement

CIP-002-3 R1

CIP-002-3 R1.1

CIP-002-3 R1.2

CIP-002-3 R1.2.1

CIP-002-3 R1.2.2

CIP-002-3 R1.2.3

CIP-002-3 R1.2.4

CIP-002-3 R1.2.5

CIP-002-3 R1.2.6

CIP-002-3 R1.2.7

CIP-002-3 R2

CIP-002-3 R3

CIP-002-3 R4

CIP-003-3 R1

CIP-003-3 R1.1

CIP-003-3 R1.2


3/42

CIP-003-3 R3

CIP-003-3 R3.1

CIP-003-3 R3.2

CIP-003-3 R3.2

CIP-003-3 R3.3

CIP-003-3 R4

CIP-003-3 R4.3

CIP-003-3 R5

CIP-003-3 R5.1

CIP-003-3 R5.1.2

CIP-003-3 R5.2

CIP-003-3 R5.3

CIP-003-3 R6

CIP-003-3 R6

CIP-004-3 R1

CIP-004-3 R1

CIP-004-3 R2

CIP-004-3 R2.1

CIP-004-3 R2.2

CIP-004-3 R2.3

CIP-004-3 R3

CIP-004-3 R3

CIP-004-3 R3.1

CIP-004-3 R3.2

CIP-004-3 R3.3


4/42

CIP-004-3

CIP-005-3 R1

CIP-005-3 R1

CIP-005-3 R1

CIP-005-3 R1

CIP-005-3 R1

CIP-005-3 R1

CIP-005-3 R2

CIP-005-3 R2.1, R2.2

CIP-005-3 R2

CIP-005-3 R2

CIP-005-3 R2

CIP-005-3 R2

CIP-005-3 R2

CIP-005-3 R2.44

CIP-005-3 R2.64

CIP-005-3 R3

CIP-005-3 R3

CIP-005-3 R3

CIP 005 3 R3


5/42

CIP-005-3 R5 & R5.1

CIP-005-3 R5.2

CIP-005-3 R5.3

CIP-006-3 R1

CIP-006-3 R1

CIP-006-3 R1.14

CIP-006-3 R1.14

CIP-006-3 R1.2

CIP-006-3 R1.2

CIP-006-3 R1.3

CIP-006-3 R1.3

CIP-006-3 R1.4

CIP-006-3 R1.5

CIP-006-3 R1.6

CIP-006-3 R1.6

CIP-006-3 R1.7

CIP-006-3 R1.8

CIP-006-3 R2.1

CIP-006-3 R2.2

CIP-006-3 R3

CIP-006-3 R4

CIP-006-3 R5


6/42

CIP-006-3 R7

CIP-006-3 R8

CIP-006-3 R8.1

CIP-006-3 R8.2

CIP-006-3 R8.3

CIP-007-3 R1

CIP-007-3 R1

CIP-007-3 R1

CIP-007-3 R1.1

CIP-007-3 R1.2

CIP-007-3 R1.3

CIP-007-3 R2

CIP-007-3 R2.34

CIP-007-3 R34

CIP-007-3 R34

CIP-007-3 R34

CIP-007-3 R44

CIP-007-3 R44

CIP-007-3 R44

CIP-007-3 R5


7/42

CIP-007-3 R5.2

CIP-007-3 R5.2

CIP-007-3 R5.34

CIP-007-3 R5.34

CIP-007-3 R5.3.14

CIP-007-3 R5.3.24

CIP-007-3 R5.3.34

CIP-007-3 R64

CIP-007-3 R64

CIP-007-3 R6.1

CIP-007-3 R6.2

CIP-007-3 R6.2

CIP-007-3 R6.34

CIP-007-3 R6.34

CIP-007-3 R6.4, R6.5

CIP-007-3 R7

CIP-007-3 R7.3

CIP-007-3 R8

CIP-007-3 R8.1

CIP-007-3 R8.4

CIP-007-3 R8.4

CIP-007-3 R9

CIP-008-3 R1

CIP-008-3 R1.1

CIP-008-3 R1.2

CIP-008-3 R1.2


8/42

CIP-009-3 R1

CIP-009-3 R1

CIP-009-3 R1.1

CIP-009-3 R1.1CIP-009-3 R1.2

CIP-009-3 R1

CIP-009-3 R2

CIP-009-3 R3

CIP-009-3 R4

CIP-009-3 R5

3. Evidence identified in this colu

1. Evidence identified in this listin

2. Evidence identified in this colu


9/42

Evidence1

Provide Risk Based Assessment Methodology (RBAM)

Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are risk-

based

Provide evidence that all required BES asset categories were evaluated by the RBAM for inclusion on Critical Asset List

Provide evidence that all control centers and backup control centers were considered by the RBAM

Provide evidence that all transmission substations were considered by the RBAM, and that evaluation of these assets was

performed at the substation level

Provide evidence that all generation resources were considered by the RBAM, and that evaluation of these assets was

performed at the level of greatest commonality

Provide evidence that at least the generator(s) used in the preferred resoration path are identified as Critical Assets

If applicable, provide system restoration plan

Provide evidence that all automatic load shedding systems meeting the parameters of the standard were considered by the

RBAM

Provide evidence that all special protection systems were considered by the RBAM

Provide evidence of any additional assets considered by the RBAM

Provide Critical Asset List derived through annual application of RBAM

Provide evidence of annual review of the Critical Asset list

Supporting Evidence:For BES assets that were added or acquired, provide evidence that said assets were evaluated by the RBAM

Provide list of Critical Cyber Assets

Provide evidence that all cyber assets associated with each Critical Asset were evaluated as possible Critical Cyber Assets

Supporting Evidence:

If a comprehensive list of Cyber Assets was used as the basis for evaluation, provide this list. The list should be 1) grouped

by Critical Asset 2) have a unique identifier for the Cyber asset such as a device name 3) the type of Cyber Asset (e.g. server,

workstation, network device, etc. 4) The reliability functions the Cyber Asset supports 5) The network segments the Cyber

Asset is connected to (network segment identifier or Class C address space as depicted on a network topology diagram). If acomprehensive list of Cyber Assets was not used as a basis for this evaluation, provide an explanation of how the Cyber

Assets associated with the Critical Asset were identified for consideration as a Critical Cyber Asset and the list of Cyber

Assets considered

Provide evidence that the senior manager or delegate approved RBAM, CA list, and CCA list

Provide Cyber Security Policy


Provide all policies referenced by the cyber security policy that address any of the requirements in CIP-002-3 through CIP-

009-3

Provide evidence that each version of the cyber security policy addresses each of the requirements in CIP-002-3 through CIP-

009-3 and contains provision for emergency situations

Provide evidence that the Cyber Security Policy, including any policy incorporated by reference, has been made readily

available to all personnel with authorized electronic or unescorted physical access to any Critical Cyber Asset

ReliabilityFirst CIP Evidence List


10/42

Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there

have been no exceptions to the Cyber Security Policy during the compliance period

For each exception to the cyber security policy, provide evidence of the date of approval

For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception

For each exception to the cyber security policy, provide evidence of any compensating measures

For each exception to the cyber security policy, provide evidence of the annual review

Provide information protection program

Provide evidence of an annual assessment of information protection program

Provide access control program

Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information

Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information

Provide evidence of annual review of access privileges

Provide evidence of the annual assessment of processes for controlling access privileges to protected information

Provide the process for change control and configuration management

Provide evidence that the change control and configuration management process has been implemented

Provide awareness program

Provide evidence of awareness reinforcement

Provide Cyber Security Training Program


Addresses to whom it applies, delivery, review, and update frequencies

Provide Training Documentation, i.e., attendance records


Include all relevant personnel that documents date of authorization and date of training

Provide training material that addresses all of R2.2 and its sub requirements

Provide training documentation that includes annual training completion dates

Provide Personnel Risk Assessment program

Provide documentation that specifies when the PRA was conducted and when access was granted

Provide documentation that the PRA program includes all elements of R3.1

Provide Personnel Risk Assessment Program language that addresses criteria with respect to "for cause" and schedules for

re-assessment

Provide documentation of assessment results for all relevant personnel

Supporting Evidence:Documentation, i.e., database, application or spreadsheet that shows proof of assessments matched against CIP-004 R4

list(s)

Contract agreements and associated documentation

Provide list(s), i.e., spreadsheet, database or other application that tracks all electronic and physical access rights


11/42

Supporting Evidence for CIP-004 R2, R3, & R4:

Provide the following in a spreadsheet, database, etc. for anyone with electronic or physical access to a CCA

Employee name and ID (unique identifier)

Date electronic access granted

Specific electronic access granted

Date physical access granted

Specific physical access granted

Date electronic access removed

Date physical access removed

Date of original training

Date of annual training

Date initial PRA completed

Date PRA updated

For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it

resides

For each ESP, identify each Cyber Asset residing within the perimeter

For each ESP, identify each access point to the ESP

For each ESP, identify each cyber asset used in the access control of the ESP

For each ESP, identify each cyber asset used in the monitoring of the ESP

For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control

devices

For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP

For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for

each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber

assets, including justification, within the respective ESP.

For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by

default

Provide the procedure for securing dial-up access to each ESP

Provide evidence that the procedure for securing dial-up access to each ESP has been implemented, or an attestation that

no dial-up access exists for the ESP in question

For each ESP, if external interactive access to the ESP has been enabled, describe the controls used to authenticate the user

For each access control device, provide the document identifying the content of the acceptable use banner

Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#


For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points to

each ESP

Provide evidence that the above processes have been implemented

Provide evidence that the above processes are operational twenty-four hours a day, seven days as week

If applicable, provide evidence of alerts and notification of response personnel


12/42

Provide documentation of annual review for all evidence for CIP-005

Provide evidence that updates to network control documentation were made within 90 days of a change

For Access Points selected provide evidence that access logs are retained for at least ninety

calendar days.Provide evidence for the following dates:

Date1

Date2

Date3

Date4

Provide Physical Security Plan

Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s)

For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset.


For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those

access points

For each PSP, provide evidence that the measures above have been implemented

For each PSP, provide documentation of the processes, tools, and procedures for monitoring of physical access to the PSP

For each PSP, provide evidence that the processes, tools and procedures above have been implemented

Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access

controls

Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with

CIP-004-3 Requirement R4.

For each PSP, provide logs of visitor entry and exit

For each PSP, provide evidence of continuous escorted access of visitors

Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change

Provide evidence of an annual review of the Physical Security Plan

Provide documentation that physical access control systems are protected from unauthorized physical access

Provide documentation that physical access control systems are afforded the protective measures in the referenced

requirements; this may be addressed as part of the individual applicable requirements or directly in response to this

requirement

Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter

For each PSP, provide documentation of operational and procedural controls to manage physical access at all access pointsto the PSP

Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the

procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification.

P id d t ti id tif i th th d f l i h i l


13/42

Provide evidence of physical access logs for the implemented logging solution(s) that demonstrates

90 calendar days worth of logs .

Provide evidence for the following dates:

Date1

Date2

Date3

Date4

Date5

For each PSP, provide evidence of a maintenance and testing program for all physical security systems

For each PSP, provide evidence of testing and maintenance of all physical security mechanisms

For each PSP, provide the retention period for the testing and maintenance records

For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring

Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures

Provide evidence that all cyber security controls have been included in the test plans

Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested.

Provide evidence for the past year immediately prior to the 90 day notification.

Provide documentation that testing was performed in a manner that minimizes impact on the production environment

Provide documentation that testing was performed in a manner that reflects the production environment

Provide documentation of test results

For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified,

provide a description of the port or service and identify the need to that port or service to be enabled


Provide the security patch management program

For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.


For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and

testing and installation of signatures updates.

Provide documentation of the process uses to update anti-malware signatures


Provide documentation of technical and procedural controls that enforce access authentication and accountability of all

user activity

P id id th t t i l t d th i d


14/42

Provide policy on use of administrator, shared, and other generic account privileges

Identify those individuals with access to shared accounts

Provide evidence that passwords adhere to 5.3 sub requirements as technically feasible

Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#



Provide explanation of how security status monitoring is implemented


Provide documentation of the mechanisms to monitor security events within each ESP

Provide documentation of alerting system configuration

Provide a listing of alerts generated by the monitoring systems

Provide evidence that logs of system events related to cyber security are maintained


For each Cyber Asset selected provide evidence that logs of system events related to cyber

security are maintained and reviewed.

Provide evidence for the following dates:

Date1

Date2

Date3

Date4

Date5

Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the

ESP

Provide records that assets were disposed of or redeployed in accordance with documented procedures

Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP

Provide documentation of vulnerability assessment process

Provide documentation of results of annual cyber vulnerability assessment

If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan

Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007

Provide Cyber Security Incident Response Plan

Provide procedure for characterizing and classifying events as reportable Cyber Security Incidents

Provide roles and responsibilities

Provide incident handling procedure

Provide communication plans


15/42

Provide Critical Cyber Asset Recovery Plans

List the Recovery plan that covers the selected cyber assets.

Provide conditions that would invoke the recovery plan

Provide recovery actionsProvide roles and responsibilities

Provide evidence of annual review

Provide history of recovery plan exercises conducted, including 1) type of test (e.g. paper drill, table-top exercise, full

response drill, etc.) 2) date of test 3) event(s) or condition(s) tested

Provide documentation of changes to the recovery plan(s) and documentation of all communications

Provide documentation regarding the backup and storage of information

Provide documentation of annual testing of backup media

n must be submitted as designated by ReliabilityFirst.

Notesg is the result of each requirement. This listing is intended to provide guidance to the e

n must be submitted 40 days before the scheduled audit review date.


16/42

40 Days2

Upon Request3

X

X

X

X

X

X

X

X

X

X

X

X

X

X X

X

X


17/42

Not in Scope X

Not in Scope X

Not in Scope X

Not in Scope X

Not in Scope X

Not in Scope X

Not in Scope X

X

X

X

X

X

X

See Device Sampling Tab

X

See Personnel Sampling Tab





X



X



18/42


X

X

X

X

X

X

X


X

X

X

X

X

X

X

X

X

X

X


19/42

X

X See Device Sampling Tab


XX

X

X

X

X

X

X

X

X

X

X

X

X

X



X



20/42


X

X

X

X

X

X


X

X

X


X

X


X


X

X

X


21/42

X

See Personnel Sample Tab

See Personnel Sample Tab

XX

X

X

X

X





X


X

X

X

X



X

X

X

X

X


22/42

X


X

X

X

X

X

Not in Scope X

X

X

tities in preparation for their audits or continued


23/42

Attachment "C" CIP Data List for Sampling Phase 2 Instructions

Enti ty Action Requir ed:

Please complete all the worksheets within this spreadsheet and return to ReliabilityFirst no later than seventy five (75)

calendar days prior to the scheduled review date of the Compliance Audit

Please complete the following worksheets:

Critical Assets (List of all Critical Assets)

Critical Assets -Name of Critical Asset

Asset Function - Enter the function of the Critical Asset, e.g. Primary/Back-Up/Aleternate Control Center, Substation, etc.

Responsible Registered Entity- For a combined audit of multiple registered entities

Cyber Assets (List of all Cyber Assets and the associated ESP and PSP- Indicate CCA, NCCA, AP, EACM, PACS)

Cyber Asset Name - Name of the Cyber Asset

Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides

ESP Name - Name of ESP containing Cyber Asset

PSP Name - Name of PSP containing Cyber Asset

Vendor - Name of vendor for identified Cyber Asset

Model - Model Name and Number of identified Cyber Asset

IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Windows, NT,

Linux, Unix, DB/App, N/A, etc.Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine

Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc.

Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT, Corp

Security, etc.)

Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)


Personnel (List of all personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and

identification of terminated personnel or personnel role changes within the past six (6) months)

Name - Name of individual

Access Type - Should be Physical, Cyber, or Both

Personnel Type - Should be Employee, Contractor, Vendor or Other

Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization change.

Enter N/A if active employee and no personnel role and responsibility change within past six (6) months.


Colored Coded TabsEntity populates green tabs

Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in

this information.

Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates


24/42

Acronyms:


AP - Access Point


ESP - Electronic Security PerimeterNCCA - Non-Critical Cyber Asset



Next Steps:

After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling methodology

to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send

Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed

Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.


25/42

Sequential

number Critical Asset Asset Function

Responsible

Registered

Entity

1 SOUTHPARK PRIMARY CONTROL CENTER RE1

2 NORTHPARK BACK-UP CONTROL CENTER RE2

3 CEDARCREEK SUBSTATION RE3


26/42

Sequential

number

Cyber Asset

Name

Critical Asset

where CCA resides

Name of ESP

where CA resides

Name of PSP

where CA resides Vendor Model

IOS / Platform o

Operating System

1 EXAMPLE_ABC SOUTHPARK EXAMPLE_PCC EXAMPLE_PSP IBM NetVista Windows 2000

2 EXAMPLE_DEF NORTHPARK EXAMPLE_SCC EXAMPLE2_PSP HP AU600 TRU64 UNIX

3 EXAMPLE_GHI SOUTHPARK EXAMPLE_SUBSTATION EXAMPLE3_PSP Gener B2NR8NX0D N/A

4 EXAMPLE_JKL SOUTHPARK EXAMPLE_SUBSTATION EXAMPLE4_PSP Gener B2NR8NX0D N/A

5 EXAMPLE_MNO SOUTHPARK EXAMPLE_SUBSTATION EXAMPLE5_PSP Gener B2NR8NX0D N/A


27/42

Sequential

number Name Access Type Personnel Type Date of Termination

1 LASTNAME, FIRSTNAME Physical Access Contractor N/A

2 LASTNAME2, FIRSTNAME2 Cyber Access Vendor 12/15/2011

3 LASTNAME3, FIRSTNAME3 Both Employee N/A


28/42

Date of Personnel Change

Responsible

Registered

Entity

Terminated

for Cause?

12/15/2011 RE1 Y/N

12/15/2011 RE2 Y/N

1/3/2012 RE3 Y/N


29/42

Sequential

number

Critical

Cyber

Asset

Name

Critical

Asset

where

CCA

resides

Name of

ESP

where

CCA

resides

Name of

PSP

where

CCA

resides Vendor Model

IOS /

Platform or

Operating

System

Virtual

Machine


30/42

Asset

Type

Supporting

Organization

Cyber

Asset

Type

Responsible

Registered

Entity CIP3 R6 CIP5 R2.1 ,R 2.2 CIP5 R3.2

For the selected Cyber

Assets, provide

documentation to

demonstrate that the

change control and

configuration

management process

has been implemented.

Provide changes for the

past year immediately

prior to the 90 day

notification.

For R2.1, provide

evidence that deny-by-

default policy is

deployed to sampled

Access Points. For R2.2,

provide evidence for

each sampled Access

Point that Ports and

Services are

configured/implemente

d for operations and for

monitoring of cyber

assets, including

justification, within the

respective ESP.

Provide

evidence of

alerts for

each

sampled

Access

Point

where

attempts at

or actual

unauthoriz

ed accesses

were

detected. If

alerting

was not

technically

feasible for

sampled

Access

Points

provide

evidence of

manualreview of

logs at least

every 90-

days.

Provide

evidence of

CCA

NCCA

AP

EACM

PACS


31/42

CIP5 R5.3 CIP6 R5 CIP6 R7 CIP7 R1 CIP7 R2 CIP7 R3 CIP7 R4

For Access

Points

selected

provide

evidence

that access

logs are

retained

for at least

ninety

calendar

days.

Provide

evidence

for the

following

dates:

Date1

Date2

Date3

Date4

Date5

Provide

evidence

that

Unauthoriz

ed access

attempts

are

reviewed

immediatel

y and

handled in

accordance

with the

procedures

specified in

Requireme

nt CIP-008-

3. Provide

evidence of

the 90 days

prior to the

90 day

notification

.

Provide

evidence of

physical

access logs

for the

implement

ed logging

solution(s)

that

demonstrat

es 90

calendar

days worth

of logs .

Provide

evidence

for the

following

dates:

Date1

Date2

Date3

Date4

Date5

Provide

evidence

(including

test results)

that all

significant

updates

made to

Cyber

Assets

selected

have been

tested.

Provide

evidence

for the past

year

immediatel

y prior to

the 90 day

notification

.

For each

Cyber Asset

selected,

provide a

list of each

active port

and service.

For each

active port

and service

identified,

provide a

description

of the port

or service

and

identify the

need to

that port or

service to

be enabled

For each Cyber Asset

selected, provide

evidence of the

assessment and

implementation of

security patches.

For each

Cyber Asset

selected,

provide

evidence of

the

implementi

on of anti-

virus and

malware

prevention

tools and

testing and

installation

of

signatures

updates.


32/42

CIP7 R5.1.2 CIP7 R6 CIP 9 R1

Provide evidence of

audit trails of individual

user account activity

demonstrating 90 days

worth of logs/audit

trails. Provide evidence

for the following dates:

Date1

Date2

Date3

Date4

Date5

For each Cyber Asset

selected provide

evidence that logs of

system events related to

cyber security are

maintained and

reviewed.

Provide evidence for the

following dates:

Date1

Date2

Date3

Date4

Date5

List the

Recovery

plan that

covers the

selected

cyber

assets.


33/42

Name Access Type Personnel Type Group Entity

Sequential

number Name Access Type Personnel Type Group

Responsible

Registered

Entity

2010

DATES

or oldest

on record

2011

DATES

2012

DATES

TRAINING


34/42

ATTENDANCE LOG

REQUESTE

D (Y/N)

OLDEST

ON

RECORD

MOST

RECENT

NEXTSS# CHECK

(Y/N)

7 YRCRIMINAL

CHECK

(Y/N)

REDACTED

PRA

SAMPLE

REQUESTED

(for most

recent PRA)

(Y/N)

(RFC to

complete)

REDACTED PRASAMPLE

RECEIVED (for

most recent

PRA)

DATE

AUTHORIZ

ATION

DATE

PRA DATES PRA CONTENTS


35/42

GRANTED

DATE

CURRENT

STATUS -

ACTIVE /

NON

ACTIVE

ANY

CHANGE

IN ACCESS

RIGHTS

(Y/N)

DATECHANGE

IDENTIFIE

D

DATE

CHANGE

MADE

ACCESS

REVOCATI

ON

REQUIRED

(Y/N)

EMPLOYM

ENTTERMINAT

ED FOR

CAUSE

(Y/N)

IF YES,

TERMINAT

ION DATE

ACCESS

NO

LONGER

REQUIRED

(Y/N)

CRITICAL CYBER ASSET - AUTHORIZED CYBER ACCESS


36/42

IF YES,DATE

IDENTIFIE

D

ACCESS

REVOCATI

ON DATE

AUTHORIZ

ATION

DATE

GRANTED

DATE

CURRENT

STATUS -

ACTIVE /

NON

ACTIVE

ANY

CHANGE

IN ACCESS

RIGHTS

(Y/N)

DATECHANGE

IDENTIFIE

D

DATE

CHANGE

MADE

ACCESS

REVOCATI

ON

REQUIRED

(Y/N)

CRITICAL CYBER ASSET - AUTHORIZED UNESCO


37/42

EMPLOYM

ENTTERMINAT

ED FOR

CAUSE

(Y/N)

IF YES,

TERMINAT

ION DATE

ACCESS

NO

LONGER

REQUIRED

(Y/N)

IF YES,DATE

IDENTIFIE

D

ACCESS

REVOCATI

ON DATE

CIP 006

R1.5Provide 1

evidence

file for all

sampled

personnel

CIP 007 R5

Provide 1

evidence file

for all

sampled

personnel

RFC

COMMEN

TS

RTED PHYSICAL ACCESS

ENTITY

COMMEN

TS


38/42


RFC Action Requir ed:Select samples and populate the Device Sample and Personnel Sample tabs

using approved methodology (and Device Sample Matrix and Personnel

Sample Templates) and return to entity no later than sixty- five (65)

calendar days prior to the scheduled review date of the Compliance Audit.


Device Sample (List of selected Cyber Assets and the associated Standards

and Requirements merged with Device Sample Matrix)

Pull required samples using approved methodology and merge with Device

Sample Matrix. Change Device Sample tab color to Green prior to sending

to entity.

Cyber Asset Name - Name of the Cyber Asset

Critical Asset Name - Name of the Critical Asset where the Cyber Assetresides

ESP Name - Name of ESP containing Cyber Asset

PSP Name - Name of PSP containing Cyber Asset

Vendor - Name of vendor for identified Cyber Asset

Model - Model Name and Number of identified Cyber Asset

IOS / Platform or Operating System - Name of platform or operating

system running on the Cyber Asset (e.g. Windows, NT, Linux, Unix,

DB/App, N/A, etc.

Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine

Asset Type - Enter the type of device, e.g. workstation, server, firewall,

switch, IDS, printer, database, etc.

Supporting Organization - Name of internal organization supporting

identified CA (e.g. EMS, Substation, Corp IT, Corp Security, etc.)

Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)

Responsible Registered Entity- For a combined audit of multiple registered

entities

Personnel Sample (List of selected personnel ith a thori ed c ber or


39/42

Personnel Type - Should be Employee, Contractor, Vendor or Other

Date of Termination and/or Personnel Role Change - Identify the date of

termination or personnel organization change. Enter N/A if active employeeand no personnel role and responsibility change within past six (6) months.

Responsible Registered Entity- For a combined audit of multiple registered

entities

Colored Coded Tabs


Red colored tabs are meant to illustrate the information required oncesamples are selected by RFC. There is no need to fill in this information.

Yellow colored Tab is customized by the ATL to assist the entity via a list

of applicable in scope requirements with due dates and Samples as

appropriate


Phase 1- RFC supplies Attachment C for entity to input required data.Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber

Assets, and Personnel and submits to RFC via extranet

Phase 3 - RFC performs sample selection and sends back to entity for

detailed information requests (Device Sample and Personnel Sample tabs

will be populated with requested samples)

Phase 4 - Entity supplies detailed information back to RFC via extranet

(Device Sample and Personnel Sample tabs completed)

Acronyms:


AP - Access Point







40/42


Entity Action Required:

Complete the Device Sample and Personnel Sample tabs per belowinstructions and return to RFC no later than forty (40) calendar days

prior to the scheduled review date of the Compliance Audit.


Device Sample (List of selected Cyber Assets and the associated Standards

and Requirements)Please provide an evidence file reference for each Standard/Requirement

column listed that is not "greyed out". It is preferred that each requirement

will have one PDF file with the information contained within for all the

samples within that requirement.

Personnel Sample (List of selected personnel with authorized cyber or

authorized unescorted physical access to critical cyber assets and

identification of terminated personnel or personnel role changes within the

past six (6) months)

Complete the required fields for each person

For the columns CIP 6 R1.5 and CIP 7 R5, it is preferred that each

requirement will have one file with the information contained within for all

the samples within that requirement. In this file, please include the

appropriate training records and redacted PRAs for the selected individuals.

Colored Coded Tabs


Red colored tabs are meant to illustrate the information required once

samples are selected by RFC. There is no need to fill in this information.

Yellow colored Tab is customized by the ATL to assist the entity via a list

of applicable in scope requirements with due dates and Samples as

appropriate



41/42

Acronyms:


AP - Access PointCCA - Critical Cyber Asset






42/42

Date NameVersion

NumberChanges

December 17, 2010 Bob Yates 1 Initial release of Attachment C spreadsheet

February 15, 2011 Bob Yates 2 Added type to Critical assets, critical cyber assets and non-critical cyber assets

October 19, 2011 Bob Yates 3

Added a changes tab and instruction to gather the total population of changes from

10/1/2010 through the 90 notification. This will allow for sampling of changes for CIP-003R6

December 19, 2011 Kristie Purcell 4 Changed due date in instructions from 30 days to 75 days.

December 20, 2011 Rhonda Bramer 5

Added Asset Function field to Instruction and Critical Asset Tab;

Added Vendor; Model; Platform or O/S; Function Performed; and Supporting

Organization fields to the CCA, Non-CCA, ESP Access Points and ACM and Instruction

tabs.

Changed abbreviation to acronymns and added acronyms to the Instructions tab.

Added examples to the worksheetts and formatted.

January 23, 2012 Rhonda Bramer 5.1

1) Changed field "Asset Function" to "Asset Type" on the CCA, NCCA, AP and ACM tabs

for clarity;

2) Added filters on each worksheet to enable filtering capability for each tab/worksheet

3) Removed Changes tab

4) Added "Date of Termination" and "Date of Personnel Role Change" column to

Personnel tab.

5) Added "Critical Asset" column to CCA, NCCA, AP and ACM tabs to map respective

assets back to the Critical Asset.

6) Added additional examples to each of the worksheets

7) Updated the Instructions tab to reflect above changes.

8) Moved Instruction tab to be the first worksheet within workbook.

9) Moved the Personnel tab to be after ACM worksheet.

February 23, 2012 Todd Thompson 5.2Added a "Yes" or "No" column for "Virtual Machine" in the following tabs: Critical Cyber

Assets, Non-Critical Cyber Assets, ESP Access Points and Access Control and Monitoring.

Also updated the Instructions Tab to reflect the change above.

June 25, 2012 John Kellerhals 5.3 Incorporated multiple sample sheets into this spreadsheet for ease of use.

July 3, 2012 John Kellerhals 5.4 Added Responsible Registered Entity Columns to support combined audits

August 24, 2012 John Kellerhals 5.5 Included feedback suggestions from entitiesNovember 15, 2012 John Kellerhals 6 Release including instructions for 4 phases

November 28, 2012 John Kellerhals 6.1 Release including instructions for 4 phases

attachment c cip

Documents