attachment c cip
TRANSCRIPT
-
7/28/2019 Attachment C CIP
1/42
Attachment "C" CIP Data List for Sampling
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 2- Entity completes the three green colored tabs: Critical Assets, Cyber Assets, and Personnel and submits to RFC via
extranet. See Phase 2 instructions for more details.
Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample and
Personnel Sample tabs will be populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs completed)
RFC Action Requir ed:
RFC supplies the Attachment C to the entity as part of the 90 day notification package. The CIP evidence list (Yellow Tab) is
customized for the entity audit scope.
Colored Coded Tabs
Entity populates green tabs
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in
this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due datesand Samples as appropriate
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
Next Steps:
After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling methodology
to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send
Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed
Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.
-
7/28/2019 Attachment C CIP
2/42
Standard Requirement
CIP-002-3 R1
CIP-002-3 R1.1
CIP-002-3 R1.2
CIP-002-3 R1.2.1
CIP-002-3 R1.2.2
CIP-002-3 R1.2.3
CIP-002-3 R1.2.4
CIP-002-3 R1.2.5
CIP-002-3 R1.2.6
CIP-002-3 R1.2.7
CIP-002-3 R2
CIP-002-3 R3
CIP-002-3 R4
CIP-003-3 R1
CIP-003-3 R1.1
CIP-003-3 R1.2
-
7/28/2019 Attachment C CIP
3/42
CIP-003-3 R3
CIP-003-3 R3.1
CIP-003-3 R3.2
CIP-003-3 R3.2
CIP-003-3 R3.3
CIP-003-3 R4
CIP-003-3 R4.3
CIP-003-3 R5
CIP-003-3 R5.1
CIP-003-3 R5.1.2
CIP-003-3 R5.2
CIP-003-3 R5.3
CIP-003-3 R6
CIP-003-3 R6
CIP-004-3 R1
CIP-004-3 R1
CIP-004-3 R2
CIP-004-3 R2.1
CIP-004-3 R2.2
CIP-004-3 R2.3
CIP-004-3 R3
CIP-004-3 R3
CIP-004-3 R3.1
CIP-004-3 R3.2
CIP-004-3 R3.3
-
7/28/2019 Attachment C CIP
4/42
CIP-004-3
CIP-005-3 R1
CIP-005-3 R1
CIP-005-3 R1
CIP-005-3 R1
CIP-005-3 R1
CIP-005-3 R1
CIP-005-3 R2
CIP-005-3 R2.1, R2.2
CIP-005-3 R2
CIP-005-3 R2
CIP-005-3 R2
CIP-005-3 R2
CIP-005-3 R2
CIP-005-3 R2.44
CIP-005-3 R2.64
CIP-005-3 R3
CIP-005-3 R3
CIP-005-3 R3
CIP 005 3 R3
-
7/28/2019 Attachment C CIP
5/42
CIP-005-3 R5 & R5.1
CIP-005-3 R5.2
CIP-005-3 R5.3
CIP-006-3 R1
CIP-006-3 R1
CIP-006-3 R1.14
CIP-006-3 R1.14
CIP-006-3 R1.2
CIP-006-3 R1.2
CIP-006-3 R1.3
CIP-006-3 R1.3
CIP-006-3 R1.4
CIP-006-3 R1.5
CIP-006-3 R1.6
CIP-006-3 R1.6
CIP-006-3 R1.7
CIP-006-3 R1.8
CIP-006-3 R2.1
CIP-006-3 R2.2
CIP-006-3 R3
CIP-006-3 R4
CIP-006-3 R5
-
7/28/2019 Attachment C CIP
6/42
CIP-006-3 R7
CIP-006-3 R8
CIP-006-3 R8.1
CIP-006-3 R8.2
CIP-006-3 R8.3
CIP-007-3 R1
CIP-007-3 R1
CIP-007-3 R1
CIP-007-3 R1.1
CIP-007-3 R1.2
CIP-007-3 R1.3
CIP-007-3 R2
CIP-007-3 R2.34
CIP-007-3 R34
CIP-007-3 R34
CIP-007-3 R34
CIP-007-3 R44
CIP-007-3 R44
CIP-007-3 R44
CIP-007-3 R5
-
7/28/2019 Attachment C CIP
7/42
CIP-007-3 R5.2
CIP-007-3 R5.2
CIP-007-3 R5.34
CIP-007-3 R5.34
CIP-007-3 R5.3.14
CIP-007-3 R5.3.24
CIP-007-3 R5.3.34
CIP-007-3 R64
CIP-007-3 R64
CIP-007-3 R6.1
CIP-007-3 R6.2
CIP-007-3 R6.2
CIP-007-3 R6.34
CIP-007-3 R6.34
CIP-007-3 R6.4, R6.5
CIP-007-3 R7
CIP-007-3 R7.3
CIP-007-3 R8
CIP-007-3 R8.1
CIP-007-3 R8.4
CIP-007-3 R8.4
CIP-007-3 R9
CIP-008-3 R1
CIP-008-3 R1.1
CIP-008-3 R1.2
CIP-008-3 R1.2
-
7/28/2019 Attachment C CIP
8/42
CIP-009-3 R1
CIP-009-3 R1
CIP-009-3 R1.1
CIP-009-3 R1.1CIP-009-3 R1.2
CIP-009-3 R1
CIP-009-3 R2
CIP-009-3 R3
CIP-009-3 R4
CIP-009-3 R5
3. Evidence identified in this colu
1. Evidence identified in this listin
2. Evidence identified in this colu
-
7/28/2019 Attachment C CIP
9/42
Evidence1
Provide Risk Based Assessment Methodology (RBAM)
Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are risk-
based
Provide evidence that all required BES asset categories were evaluated by the RBAM for inclusion on Critical Asset List
Provide evidence that all control centers and backup control centers were considered by the RBAM
Provide evidence that all transmission substations were considered by the RBAM, and that evaluation of these assets was
performed at the substation level
Provide evidence that all generation resources were considered by the RBAM, and that evaluation of these assets was
performed at the level of greatest commonality
Provide evidence that at least the generator(s) used in the preferred resoration path are identified as Critical Assets
If applicable, provide system restoration plan
Provide evidence that all automatic load shedding systems meeting the parameters of the standard were considered by the
RBAM
Provide evidence that all special protection systems were considered by the RBAM
Provide evidence of any additional assets considered by the RBAM
Provide Critical Asset List derived through annual application of RBAM
Provide evidence of annual review of the Critical Asset list
Supporting Evidence:For BES assets that were added or acquired, provide evidence that said assets were evaluated by the RBAM
Provide list of Critical Cyber Assets
Provide evidence that all cyber assets associated with each Critical Asset were evaluated as possible Critical Cyber Assets
Supporting Evidence:
If a comprehensive list of Cyber Assets was used as the basis for evaluation, provide this list. The list should be 1) grouped
by Critical Asset 2) have a unique identifier for the Cyber asset such as a device name 3) the type of Cyber Asset (e.g. server,
workstation, network device, etc. 4) The reliability functions the Cyber Asset supports 5) The network segments the Cyber
Asset is connected to (network segment identifier or Class C address space as depicted on a network topology diagram). If acomprehensive list of Cyber Assets was not used as a basis for this evaluation, provide an explanation of how the Cyber
Assets associated with the Critical Asset were identified for consideration as a Critical Cyber Asset and the list of Cyber
Assets considered
Provide evidence that the senior manager or delegate approved RBAM, CA list, and CCA list
Provide Cyber Security Policy
Supporting Evidence:
Provide all policies referenced by the cyber security policy that address any of the requirements in CIP-002-3 through CIP-
009-3
Provide evidence that each version of the cyber security policy addresses each of the requirements in CIP-002-3 through CIP-
009-3 and contains provision for emergency situations
Provide evidence that the Cyber Security Policy, including any policy incorporated by reference, has been made readily
available to all personnel with authorized electronic or unescorted physical access to any Critical Cyber Asset
ReliabilityFirst CIP Evidence List
-
7/28/2019 Attachment C CIP
10/42
Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there
have been no exceptions to the Cyber Security Policy during the compliance period
For each exception to the cyber security policy, provide evidence of the date of approval
For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception
For each exception to the cyber security policy, provide evidence of any compensating measures
For each exception to the cyber security policy, provide evidence of the annual review
Provide information protection program
Provide evidence of an annual assessment of information protection program
Provide access control program
Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information
Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information
Provide evidence of annual review of access privileges
Provide evidence of the annual assessment of processes for controlling access privileges to protected information
Provide the process for change control and configuration management
Provide evidence that the change control and configuration management process has been implemented
Provide awareness program
Provide evidence of awareness reinforcement
Provide Cyber Security Training Program
Supporting Evidence:
Addresses to whom it applies, delivery, review, and update frequencies
Provide Training Documentation, i.e., attendance records
Supporting Evidence:
Include all relevant personnel that documents date of authorization and date of training
Provide training material that addresses all of R2.2 and its sub requirements
Provide training documentation that includes annual training completion dates
Provide Personnel Risk Assessment program
Provide documentation that specifies when the PRA was conducted and when access was granted
Provide documentation that the PRA program includes all elements of R3.1
Provide Personnel Risk Assessment Program language that addresses criteria with respect to "for cause" and schedules for
re-assessment
Provide documentation of assessment results for all relevant personnel
Supporting Evidence:Documentation, i.e., database, application or spreadsheet that shows proof of assessments matched against CIP-004 R4
list(s)
Contract agreements and associated documentation
Provide list(s), i.e., spreadsheet, database or other application that tracks all electronic and physical access rights
-
7/28/2019 Attachment C CIP
11/42
Supporting Evidence for CIP-004 R2, R3, & R4:
Provide the following in a spreadsheet, database, etc. for anyone with electronic or physical access to a CCA
Employee name and ID (unique identifier)
Date electronic access granted
Specific electronic access granted
Date physical access granted
Specific physical access granted
Date electronic access removed
Date physical access removed
Date of original training
Date of annual training
Date initial PRA completed
Date PRA updated
For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it
resides
For each ESP, identify each Cyber Asset residing within the perimeter
For each ESP, identify each access point to the ESP
For each ESP, identify each cyber asset used in the access control of the ESP
For each ESP, identify each cyber asset used in the monitoring of the ESP
For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control
devices
For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP
For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for
each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber
assets, including justification, within the respective ESP.
For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by
default
Provide the procedure for securing dial-up access to each ESP
Provide evidence that the procedure for securing dial-up access to each ESP has been implemented, or an attestation that
no dial-up access exists for the ESP in question
For each ESP, if external interactive access to the ESP has been enabled, describe the controls used to authenticate the user
For each access control device, provide the document identifying the content of the acceptable use banner
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points to
each ESP
Provide evidence that the above processes have been implemented
Provide evidence that the above processes are operational twenty-four hours a day, seven days as week
If applicable, provide evidence of alerts and notification of response personnel
-
7/28/2019 Attachment C CIP
12/42
Provide documentation of annual review for all evidence for CIP-005
Provide evidence that updates to network control documentation were made within 90 days of a change
For Access Points selected provide evidence that access logs are retained for at least ninety
calendar days.Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Provide Physical Security Plan
Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s)
For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset.
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those
access points
For each PSP, provide evidence that the measures above have been implemented
For each PSP, provide documentation of the processes, tools, and procedures for monitoring of physical access to the PSP
For each PSP, provide evidence that the processes, tools and procedures above have been implemented
Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access
controls
Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with
CIP-004-3 Requirement R4.
For each PSP, provide logs of visitor entry and exit
For each PSP, provide evidence of continuous escorted access of visitors
Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change
Provide evidence of an annual review of the Physical Security Plan
Provide documentation that physical access control systems are protected from unauthorized physical access
Provide documentation that physical access control systems are afforded the protective measures in the referenced
requirements; this may be addressed as part of the individual applicable requirements or directly in response to this
requirement
Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter
For each PSP, provide documentation of operational and procedural controls to manage physical access at all access pointsto the PSP
Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the
procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification.
P id d t ti id tif i th th d f l i h i l
-
7/28/2019 Attachment C CIP
13/42
Provide evidence of physical access logs for the implemented logging solution(s) that demonstrates
90 calendar days worth of logs .
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
For each PSP, provide evidence of a maintenance and testing program for all physical security systems
For each PSP, provide evidence of testing and maintenance of all physical security mechanisms
For each PSP, provide the retention period for the testing and maintenance records
For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring
Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures
Provide evidence that all cyber security controls have been included in the test plans
Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested.
Provide evidence for the past year immediately prior to the 90 day notification.
Provide documentation that testing was performed in a manner that minimizes impact on the production environment
Provide documentation that testing was performed in a manner that reflects the production environment
Provide documentation of test results
For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified,
provide a description of the port or service and identify the need to that port or service to be enabled
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Provide the security patch management program
For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and
testing and installation of signatures updates.
Provide documentation of the process uses to update anti-malware signatures
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Provide documentation of technical and procedural controls that enforce access authentication and accountability of all
user activity
P id id th t t i l t d th i d
-
7/28/2019 Attachment C CIP
14/42
Provide policy on use of administrator, shared, and other generic account privileges
Identify those individuals with access to shared accounts
Provide evidence that passwords adhere to 5.3 sub requirements as technically feasible
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Provide explanation of how security status monitoring is implemented
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
Provide documentation of the mechanisms to monitor security events within each ESP
Provide documentation of alerting system configuration
Provide a listing of alerts generated by the monitoring systems
Provide evidence that logs of system events related to cyber security are maintained
Please see TFE Footnote #4 - Please provide your evidence organized by TFE ID#
For each Cyber Asset selected provide evidence that logs of system events related to cyber
security are maintained and reviewed.
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the
ESP
Provide records that assets were disposed of or redeployed in accordance with documented procedures
Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP
Provide documentation of vulnerability assessment process
Provide documentation of results of annual cyber vulnerability assessment
If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan
Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007
Provide Cyber Security Incident Response Plan
Provide procedure for characterizing and classifying events as reportable Cyber Security Incidents
Provide roles and responsibilities
Provide incident handling procedure
Provide communication plans
-
7/28/2019 Attachment C CIP
15/42
Provide Critical Cyber Asset Recovery Plans
List the Recovery plan that covers the selected cyber assets.
Provide conditions that would invoke the recovery plan
Provide recovery actionsProvide roles and responsibilities
Provide evidence of annual review
Provide history of recovery plan exercises conducted, including 1) type of test (e.g. paper drill, table-top exercise, full
response drill, etc.) 2) date of test 3) event(s) or condition(s) tested
Provide documentation of changes to the recovery plan(s) and documentation of all communications
Provide documentation regarding the backup and storage of information
Provide documentation of annual testing of backup media
n must be submitted as designated by ReliabilityFirst.
Notesg is the result of each requirement. This listing is intended to provide guidance to the e
n must be submitted 40 days before the scheduled audit review date.
-
7/28/2019 Attachment C CIP
16/42
40 Days2
Upon Request3
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X
X
-
7/28/2019 Attachment C CIP
17/42
Not in Scope X
Not in Scope X
Not in Scope X
Not in Scope X
Not in Scope X
Not in Scope X
Not in Scope X
X
X
X
X
X
X
See Device Sampling Tab
X
See Personnel Sampling Tab
See Personnel Sampling Tab
See Personnel Sampling Tab
See Personnel Sampling Tab
See Personnel Sampling Tab
X
See Personnel Sampling Tab
See Personnel Sampling Tab
X
See Personnel Sampling Tab
-
7/28/2019 Attachment C CIP
18/42
See Personnel Sampling Tab
X
X
X
X
X
X
X
See Device Sampling Tab
X
X
X
X
X
X
X
X
X
X
X
-
7/28/2019 Attachment C CIP
19/42
X
X See Device Sampling Tab
See Device Sampling Tab
XX
X
X
X
X
X
X
X
X
X
X
X
X
X
X See Device Sampling Tab
X See Device Sampling Tab
X
See Device Sampling Tab
-
7/28/2019 Attachment C CIP
20/42
See Device Sampling Tab
X
X
X
X
X
X
See Device Sampling Tab
X
X
X
See Device Sampling Tab
X
X
See Device Sampling Tab
X
See Device Sampling Tab
X
X
X
-
7/28/2019 Attachment C CIP
21/42
X
See Personnel Sample Tab
See Personnel Sample Tab
XX
X
X
X
X
See Device Sampling Tab
See Device Sampling Tab
See Device Sampling Tab
See Device Sampling Tab
X
See Device Sampling Tab
X
X
X
X
See Device Sampling Tab
See Device Sampling Tab
X
X
X
X
X
-
7/28/2019 Attachment C CIP
22/42
X
See Device Sampling Tab
X
X
X
X
X
Not in Scope X
X
X
tities in preparation for their audits or continued
-
7/28/2019 Attachment C CIP
23/42
Attachment "C" CIP Data List for Sampling Phase 2 Instructions
Enti ty Action Requir ed:
Please complete all the worksheets within this spreadsheet and return to ReliabilityFirst no later than seventy five (75)
calendar days prior to the scheduled review date of the Compliance Audit
Please complete the following worksheets:
Critical Assets (List of all Critical Assets)
Critical Assets -Name of Critical Asset
Asset Function - Enter the function of the Critical Asset, e.g. Primary/Back-Up/Aleternate Control Center, Substation, etc.
Responsible Registered Entity- For a combined audit of multiple registered entities
Cyber Assets (List of all Cyber Assets and the associated ESP and PSP- Indicate CCA, NCCA, AP, EACM, PACS)
Cyber Asset Name - Name of the Cyber Asset
Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides
ESP Name - Name of ESP containing Cyber Asset
PSP Name - Name of PSP containing Cyber Asset
Vendor - Name of vendor for identified Cyber Asset
Model - Model Name and Number of identified Cyber Asset
IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Windows, NT,
Linux, Unix, DB/App, N/A, etc.Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine
Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc.
Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT, Corp
Security, etc.)
Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)
Responsible Registered Entity- For a combined audit of multiple registered entities
Personnel (List of all personnel with authorized cyber or authorized unescorted physical access to critical cyber assets and
identification of terminated personnel or personnel role changes within the past six (6) months)
Name - Name of individual
Access Type - Should be Physical, Cyber, or Both
Personnel Type - Should be Employee, Contractor, Vendor or Other
Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization change.
Enter N/A if active employee and no personnel role and responsibility change within past six (6) months.
Responsible Registered Entity- For a combined audit of multiple registered entities
Colored Coded TabsEntity populates green tabs
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need to fill in
this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with due dates
-
7/28/2019 Attachment C CIP
24/42
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security PerimeterNCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
Next Steps:
After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling methodology
to this data list in order to establish and define a specific random sample set to audit against. The audit team will then send
Evidence Requests for the specific random sample to the audited entity within 10 calendar days of receipt of a completed
Attachment C and/or no later than sixty five (65) calendar days prior to the scheduled review date of the Complaince Audit.
-
7/28/2019 Attachment C CIP
25/42
Sequential
number Critical Asset Asset Function
Responsible
Registered
Entity
1 SOUTHPARK PRIMARY CONTROL CENTER RE1
2 NORTHPARK BACK-UP CONTROL CENTER RE2
3 CEDARCREEK SUBSTATION RE3
-
7/28/2019 Attachment C CIP
26/42
Sequential
number
Cyber Asset
Name
Critical Asset
where CCA resides
Name of ESP
where CA resides
Name of PSP
where CA resides Vendor Model
IOS / Platform o
Operating System
1 EXAMPLE_ABC SOUTHPARK EXAMPLE_PCC EXAMPLE_PSP IBM NetVista Windows 2000
2 EXAMPLE_DEF NORTHPARK EXAMPLE_SCC EXAMPLE2_PSP HP AU600 TRU64 UNIX
3 EXAMPLE_GHI SOUTHPARK EXAMPLE_SUBSTATION EXAMPLE3_PSP Gener B2NR8NX0D N/A
4 EXAMPLE_JKL SOUTHPARK EXAMPLE_SUBSTATION EXAMPLE4_PSP Gener B2NR8NX0D N/A
5 EXAMPLE_MNO SOUTHPARK EXAMPLE_SUBSTATION EXAMPLE5_PSP Gener B2NR8NX0D N/A
-
7/28/2019 Attachment C CIP
27/42
Sequential
number Name Access Type Personnel Type Date of Termination
1 LASTNAME, FIRSTNAME Physical Access Contractor N/A
2 LASTNAME2, FIRSTNAME2 Cyber Access Vendor 12/15/2011
3 LASTNAME3, FIRSTNAME3 Both Employee N/A
-
7/28/2019 Attachment C CIP
28/42
Date of Personnel Change
Responsible
Registered
Entity
Terminated
for Cause?
12/15/2011 RE1 Y/N
12/15/2011 RE2 Y/N
1/3/2012 RE3 Y/N
-
7/28/2019 Attachment C CIP
29/42
Sequential
number
Critical
Cyber
Asset
Name
Critical
Asset
where
CCA
resides
Name of
ESP
where
CCA
resides
Name of
PSP
where
CCA
resides Vendor Model
IOS /
Platform or
Operating
System
Virtual
Machine
-
7/28/2019 Attachment C CIP
30/42
Asset
Type
Supporting
Organization
Cyber
Asset
Type
Responsible
Registered
Entity CIP3 R6 CIP5 R2.1 ,R 2.2 CIP5 R3.2
For the selected Cyber
Assets, provide
documentation to
demonstrate that the
change control and
configuration
management process
has been implemented.
Provide changes for the
past year immediately
prior to the 90 day
notification.
For R2.1, provide
evidence that deny-by-
default policy is
deployed to sampled
Access Points. For R2.2,
provide evidence for
each sampled Access
Point that Ports and
Services are
configured/implemente
d for operations and for
monitoring of cyber
assets, including
justification, within the
respective ESP.
Provide
evidence of
alerts for
each
sampled
Access
Point
where
attempts at
or actual
unauthoriz
ed accesses
were
detected. If
alerting
was not
technically
feasible for
sampled
Access
Points
provide
evidence of
manualreview of
logs at least
every 90-
days.
Provide
evidence of
CCA
NCCA
AP
EACM
PACS
-
7/28/2019 Attachment C CIP
31/42
CIP5 R5.3 CIP6 R5 CIP6 R7 CIP7 R1 CIP7 R2 CIP7 R3 CIP7 R4
For Access
Points
selected
provide
evidence
that access
logs are
retained
for at least
ninety
calendar
days.
Provide
evidence
for the
following
dates:
Date1
Date2
Date3
Date4
Date5
Provide
evidence
that
Unauthoriz
ed access
attempts
are
reviewed
immediatel
y and
handled in
accordance
with the
procedures
specified in
Requireme
nt CIP-008-
3. Provide
evidence of
the 90 days
prior to the
90 day
notification
.
Provide
evidence of
physical
access logs
for the
implement
ed logging
solution(s)
that
demonstrat
es 90
calendar
days worth
of logs .
Provide
evidence
for the
following
dates:
Date1
Date2
Date3
Date4
Date5
Provide
evidence
(including
test results)
that all
significant
updates
made to
Cyber
Assets
selected
have been
tested.
Provide
evidence
for the past
year
immediatel
y prior to
the 90 day
notification
.
For each
Cyber Asset
selected,
provide a
list of each
active port
and service.
For each
active port
and service
identified,
provide a
description
of the port
or service
and
identify the
need to
that port or
service to
be enabled
For each Cyber Asset
selected, provide
evidence of the
assessment and
implementation of
security patches.
For each
Cyber Asset
selected,
provide
evidence of
the
implementi
on of anti-
virus and
malware
prevention
tools and
testing and
installation
of
signatures
updates.
-
7/28/2019 Attachment C CIP
32/42
CIP7 R5.1.2 CIP7 R6 CIP 9 R1
Provide evidence of
audit trails of individual
user account activity
demonstrating 90 days
worth of logs/audit
trails. Provide evidence
for the following dates:
Date1
Date2
Date3
Date4
Date5
For each Cyber Asset
selected provide
evidence that logs of
system events related to
cyber security are
maintained and
reviewed.
Provide evidence for the
following dates:
Date1
Date2
Date3
Date4
Date5
List the
Recovery
plan that
covers the
selected
cyber
assets.
-
7/28/2019 Attachment C CIP
33/42
Name Access Type Personnel Type Group Entity
Sequential
number Name Access Type Personnel Type Group
Responsible
Registered
Entity
2010
DATES
or oldest
on record
2011
DATES
2012
DATES
TRAINING
-
7/28/2019 Attachment C CIP
34/42
ATTENDANCE LOG
REQUESTE
D (Y/N)
OLDEST
ON
RECORD
MOST
RECENT
NEXTSS# CHECK
(Y/N)
7 YRCRIMINAL
CHECK
(Y/N)
REDACTED
PRA
SAMPLE
REQUESTED
(for most
recent PRA)
(Y/N)
(RFC to
complete)
REDACTED PRASAMPLE
RECEIVED (for
most recent
PRA)
DATE
AUTHORIZ
ATION
DATE
PRA DATES PRA CONTENTS
-
7/28/2019 Attachment C CIP
35/42
GRANTED
DATE
CURRENT
STATUS -
ACTIVE /
NON
ACTIVE
ANY
CHANGE
IN ACCESS
RIGHTS
(Y/N)
DATECHANGE
IDENTIFIE
D
DATE
CHANGE
MADE
ACCESS
REVOCATI
ON
REQUIRED
(Y/N)
EMPLOYM
ENTTERMINAT
ED FOR
CAUSE
(Y/N)
IF YES,
TERMINAT
ION DATE
ACCESS
NO
LONGER
REQUIRED
(Y/N)
CRITICAL CYBER ASSET - AUTHORIZED CYBER ACCESS
-
7/28/2019 Attachment C CIP
36/42
IF YES,DATE
IDENTIFIE
D
ACCESS
REVOCATI
ON DATE
AUTHORIZ
ATION
DATE
GRANTED
DATE
CURRENT
STATUS -
ACTIVE /
NON
ACTIVE
ANY
CHANGE
IN ACCESS
RIGHTS
(Y/N)
DATECHANGE
IDENTIFIE
D
DATE
CHANGE
MADE
ACCESS
REVOCATI
ON
REQUIRED
(Y/N)
CRITICAL CYBER ASSET - AUTHORIZED UNESCO
-
7/28/2019 Attachment C CIP
37/42
EMPLOYM
ENTTERMINAT
ED FOR
CAUSE
(Y/N)
IF YES,
TERMINAT
ION DATE
ACCESS
NO
LONGER
REQUIRED
(Y/N)
IF YES,DATE
IDENTIFIE
D
ACCESS
REVOCATI
ON DATE
CIP 006
R1.5Provide 1
evidence
file for all
sampled
personnel
CIP 007 R5
Provide 1
evidence file
for all
sampled
personnel
RFC
COMMEN
TS
RTED PHYSICAL ACCESS
ENTITY
COMMEN
TS
-
7/28/2019 Attachment C CIP
38/42
Attachment "C" CIP Data List for Sampling Phase 3 Instructions
RFC Action Requir ed:Select samples and populate the Device Sample and Personnel Sample tabs
using approved methodology (and Device Sample Matrix and Personnel
Sample Templates) and return to entity no later than sixty- five (65)
calendar days prior to the scheduled review date of the Compliance Audit.
Please complete the following worksheets:
Device Sample (List of selected Cyber Assets and the associated Standards
and Requirements merged with Device Sample Matrix)
Pull required samples using approved methodology and merge with Device
Sample Matrix. Change Device Sample tab color to Green prior to sending
to entity.
Cyber Asset Name - Name of the Cyber Asset
Critical Asset Name - Name of the Critical Asset where the Cyber Assetresides
ESP Name - Name of ESP containing Cyber Asset
PSP Name - Name of PSP containing Cyber Asset
Vendor - Name of vendor for identified Cyber Asset
Model - Model Name and Number of identified Cyber Asset
IOS / Platform or Operating System - Name of platform or operating
system running on the Cyber Asset (e.g. Windows, NT, Linux, Unix,
DB/App, N/A, etc.
Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine
Asset Type - Enter the type of device, e.g. workstation, server, firewall,
switch, IDS, printer, database, etc.
Supporting Organization - Name of internal organization supporting
identified CA (e.g. EMS, Substation, Corp IT, Corp Security, etc.)
Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)
Responsible Registered Entity- For a combined audit of multiple registered
entities
Personnel Sample (List of selected personnel ith a thori ed c ber or
-
7/28/2019 Attachment C CIP
39/42
Personnel Type - Should be Employee, Contractor, Vendor or Other
Date of Termination and/or Personnel Role Change - Identify the date of
termination or personnel organization change. Enter N/A if active employeeand no personnel role and responsibility change within past six (6) months.
Responsible Registered Entity- For a combined audit of multiple registered
entities
Colored Coded Tabs
Entity populates green tabs
Red colored tabs are meant to illustrate the information required oncesamples are selected by RFC. There is no need to fill in this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list
of applicable in scope requirements with due dates and Samples as
appropriate
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber
Assets, and Personnel and submits to RFC via extranet
Phase 3 - RFC performs sample selection and sends back to entity for
detailed information requests (Device Sample and Personnel Sample tabs
will be populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet
(Device Sample and Personnel Sample tabs completed)
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
-
7/28/2019 Attachment C CIP
40/42
Attachment "C" CIP Data List for Sampling Phase 4 Instructions
Entity Action Required:
Complete the Device Sample and Personnel Sample tabs per belowinstructions and return to RFC no later than forty (40) calendar days
prior to the scheduled review date of the Compliance Audit.
Please complete the following worksheets:
Device Sample (List of selected Cyber Assets and the associated Standards
and Requirements)Please provide an evidence file reference for each Standard/Requirement
column listed that is not "greyed out". It is preferred that each requirement
will have one PDF file with the information contained within for all the
samples within that requirement.
Personnel Sample (List of selected personnel with authorized cyber or
authorized unescorted physical access to critical cyber assets and
identification of terminated personnel or personnel role changes within the
past six (6) months)
Complete the required fields for each person
For the columns CIP 6 R1.5 and CIP 7 R5, it is preferred that each
requirement will have one file with the information contained within for all
the samples within that requirement. In this file, please include the
appropriate training records and redacted PRAs for the selected individuals.
Colored Coded Tabs
Entity populates green tabs
Red colored tabs are meant to illustrate the information required once
samples are selected by RFC. There is no need to fill in this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list
of applicable in scope requirements with due dates and Samples as
appropriate
Sequence of Completion
-
7/28/2019 Attachment C CIP
41/42
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access PointCCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
-
7/28/2019 Attachment C CIP
42/42
Date NameVersion
NumberChanges
December 17, 2010 Bob Yates 1 Initial release of Attachment C spreadsheet
February 15, 2011 Bob Yates 2 Added type to Critical assets, critical cyber assets and non-critical cyber assets
October 19, 2011 Bob Yates 3
Added a changes tab and instruction to gather the total population of changes from
10/1/2010 through the 90 notification. This will allow for sampling of changes for CIP-003R6
December 19, 2011 Kristie Purcell 4 Changed due date in instructions from 30 days to 75 days.
December 20, 2011 Rhonda Bramer 5
Added Asset Function field to Instruction and Critical Asset Tab;
Added Vendor; Model; Platform or O/S; Function Performed; and Supporting
Organization fields to the CCA, Non-CCA, ESP Access Points and ACM and Instruction
tabs.
Changed abbreviation to acronymns and added acronyms to the Instructions tab.
Added examples to the worksheetts and formatted.
January 23, 2012 Rhonda Bramer 5.1
1) Changed field "Asset Function" to "Asset Type" on the CCA, NCCA, AP and ACM tabs
for clarity;
2) Added filters on each worksheet to enable filtering capability for each tab/worksheet
3) Removed Changes tab
4) Added "Date of Termination" and "Date of Personnel Role Change" column to
Personnel tab.
5) Added "Critical Asset" column to CCA, NCCA, AP and ACM tabs to map respective
assets back to the Critical Asset.
6) Added additional examples to each of the worksheets
7) Updated the Instructions tab to reflect above changes.
8) Moved Instruction tab to be the first worksheet within workbook.
9) Moved the Personnel tab to be after ACM worksheet.
February 23, 2012 Todd Thompson 5.2Added a "Yes" or "No" column for "Virtual Machine" in the following tabs: Critical Cyber
Assets, Non-Critical Cyber Assets, ESP Access Points and Access Control and Monitoring.
Also updated the Instructions Tab to reflect the change above.
June 25, 2012 John Kellerhals 5.3 Incorporated multiple sample sheets into this spreadsheet for ease of use.
July 3, 2012 John Kellerhals 5.4 Added Responsible Registered Entity Columns to support combined audits
August 24, 2012 John Kellerhals 5.5 Included feedback suggestions from entitiesNovember 15, 2012 John Kellerhals 6 Release including instructions for 4 phases
November 28, 2012 John Kellerhals 6.1 Release including instructions for 4 phases