audit notification letter - midwest reliability organizations audit... · 1 . delivery method: via...
TRANSCRIPT
1
Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server
Confidential and Non-Public
Audit Notification Letter
[Insert Date Here]
Registered Entity Name
Registered Entity Acronym
NCR ID # (NERC Compliance Registry – NCR)
Registered Entity Contact
[Primary Contact]
Registered Entity Address
Compliance Audit Type
[Operations & Planning and/or CIP]
Audit Dates – on-site/off-site
[If O&P and CIP audit periods dates are different - note both dates here]
Audit Period (Monitoring Period)
[Insert Dates]
Registered Entity Functional Registration
[Enter all functions that are applicable to registered entity]
CFR’s or Delegation Agreement
[Optional – delete if not used]
2
Dear PCC:
Entity Name (hereinafter Entity Acronym) NERC ID: (NCRXXXX) MRO (NCRXXXX) RF (NCRXXXX) SPP (NCRXXXX) TRE (NCRXXXX) WECC, etc.), is scheduled to receive a Compliance Audit from Month xx, 20xx, through Month xx, 20xx. The audit scope includes CIP, Operations, and Planning NERC Reliability Standards, and is based on a reliability risk-based assessment conducted by MRO in conjunction with/on behalf of itself and SPP, RF, TRE, WECC. The objective of the compliance audit is to review evidence that provides reasonable assurance of compliance or findings related to the applicable Reliability Standards. The Compliance Audit is conducted in accordance with the Compliance Monitoring and Enforcement Program (CMEP) and applicable NERC Rules of Procedure approved by the applicable regulator (in the United States, the Federal Energy Regulatory Commission).
The following personnel will be participating in the audit:
Audit Team Members and Participants Team Members/Participants CMEP Activity Role Region/Affiliation
Julie Sikes Audit Team Lead (ATL) MRO Jim Morales Auditor MRO Rafik Halim Auditor MRO Richard Samec Auditor MRO Jess Syring Auditor MRO Dave Taylor Auditor MRO Michael Taube Auditor MRO Sara Patrick Observer MRO
This audit will be conducted by all or some, of the audit team members in the table above. [Entity] may object to any member of the audit team on grounds of a conflict of interest or the existence of other circumstances that could interfere with the team member’s impartial performance of his or her duties (see audit team bios). Any such objections must be provided in writing to the ATL no later than fifteen (15) days prior to the start of on-site audit work.
The documents in the table below are included in this audit notification. Please note: Certain documents require completion and are required to be returned by their respective due dates shown in the table below.
Document Name/Description
Document Type
Document Name
Location/Folder Name
Audit Scope Informational Appendix A Attached
3
Contains the standards and requirements related to the compliance audit.
Audit Team Biographies Informational Audit Team Biographies.pdf
FTP2 Site of MRO’s EFT
server
Operations and Planning Reliability Standards
Request for Information (RFI)
Data Requests
Ops Planning Reliability
Standards RFI Spreadsheet.xlsx
FTP2 Site of MRO’s EFT
server
RFI Worksheets Data Requests FTP2 Site of MRO’s EFT
server
CIP Reliability Standards Request for Information
(RFI) Data Requests
CIP Reliability Standards RFI
Spreadsheet.xlsx
FTP2 Site of MRO’s EFT
server
Reliability Standard Audit Worksheets
(RSAWs) Data Requests
FTP2 Site of MRO’s EFT
server
MRO Audit Certification Informational/Attestation MRO Audit Certification
FTP2 Site of MRO’s EFT
server
Internal Compliance Program Questionnaire Data Request
Internal Compliance
Program Questionnaire.docx
FTP2 Site of MRO’s EFT
server
In regard to the evidence request items described above and other data requested by MRO, please note that unless otherwise specified, we request that you provide copies of the original, un-redacted and un-combined copies in Word, Excel, Power Point format (non-PDF) or the “native” format for the requested item(s). Please send all responses and supporting documents back to MRO via the FTP2 site of MRO’s Encrypted EFT site no later than the dates listed below (please note the important dates/deadlines below are subject to change and not inclusive):
4
Important Dates/Deadlines
Description Date Operations and Planning Reliability Standards Request for Information (RFI)
Item “OP-01”: Delete if not being requested. [ DATE that is 15 calendar days AFTER THIS
LETTER IS SENT TO RE] Items “OP-02” – “OP-17”: LIST SPECIFIC RFI NUMBERS [DATE that is 15 calendar days AFTER this letter
is sent to RE] RFI Worksheets [Date that is 15 calendar days AFTER this letter
is sent to RE] CIP Reliability Standards Request for Information (RFI)
Round 1 Request: Rounds [DATE that is 15 calendar days AFTER this letter is sent to RE]
Round 2 and/or Round 3 Request: Rounds [DATE that is 15 calendar days BEFORE start of
audit] Reliability Standard Audit Worksheets (RSAWs)
[DATE that is 15 calendar days BEFORE start of audit]
MRO Audit Certification [DATE that is 15 calendar days BEFORE START OF AUDIT]
Internal Compliance Program Questionnaire
[DATE that is 15 calendar days BEFORE START OF AUDIT]
In addition to the MRO audit notification packet sent to the designated Primary Compliance Contact, please note that the designated Authorized Officer has received an MRO Audit Certification Letter. The letter explains the objectives of the compliance audit and delegated authority with NERC. Please let us know if you have any questions.
MRO Compliance Office 380 St. Peter Street, Suite 800 St. Paul, MN 55102 Copy: Entity Authorized Officer NERC
Regional Contacts Audit Team
5
Appendix A - Standards and Requirements included in Audit Scope
Standard(s) Requirement(s)
Title
BAL-001-2 Real Power Balancing Control Performance BAL-002-1 Disturbance Control Performance BAL-003-1.1 Frequency Response and Bias BAL-004-0 Time Error Correction BAL-005-0.2b
Automatic Generation Control
BAL-006-2 Inadvertent Interchange COM-001-3 Communications COM-002-4 Operating Personnel Communications Protocols EOP-001-2.1b Emergency Operations Planning EOP-002-3.1 Capacity and Energy Emergencies EOP-003-2 Load Shedding Plans EOP-004-2 Event Reporting EOP-005-2 System Restoration from Blackstart Resources EOP-006-2 System Restoration Coordination EOP-008-1 Loss of Control Center Functionality EOP-010-1 Geomagnetic Disturbance Operations EOP-011-1 Emergency Plan Development and Coordination FAC-001-1 Facility Connection Requirements FAC-002-2 Coordination of Plans For New Generation,
Transmission, and End-User Facilities FAC-003-4 Transmission Vegetation Management FAC-008-3 Facility Ratings FAC-010-2.1 System Operating Limits Methodology for the
Planning Horizon FAC-011-2 System Operating Limits Methodology for the
Operations Horizon FAC-013-2 Assessment of Transfer Capability for the Near-term
Transmission Planning Horizon FAC-014-2 Establish and Communicate System Operating Limits INT-001-3 Interchange Information INT-003-3 Interchange Transaction Implementation INT-004-2 Dynamic Interchange Transaction Modifications INT-005-3 Interchange Authority Distributes Arranged
Interchange INT-006-3 Response to Interchange Authority INT-007-1 Interchange Confirmation INT-008-3 Interchange Authority Distributes Status INT-009-1 Implementation of Interchange
6
INT-010-1 Interchange Coordination Exemptions IRO-001-4 Reliability Coordination - Responsibilities and
Authorities IRO-002-2 Reliability Coordination - Facilities IRO-003-2 Reliability Coordination - Wide-Area View IRO-004-2 Reliability Coordination - Operations Planning IRO-005-3.1a Reliability Coordination - Current Day Operations IRO-006-5 Reliability Coordination - Transmission Loading Relief
(TLR) IRO-008-1 Reliability Coordinator Operational Analyses and Real-
time Assessments IRO-009-1 Reliability Coordinator Actions to Operate Within
IROLs IRO-010-1a Reliability Coordinator Data Specification and
Collection IRO-014-1 Procedures, Processes, or Plans to Support
Coordination Between Reliability Coordinators IRO-015-1 Notifications and Information Exchange Between
Reliability Coordinators IRO-016-1 Coordination of Real-time Activities Between
Reliability Coordinators MOD-001-1a Available Transmission System Capability MOD-004-1 Capacity Benefit Margin MOD-008-1 Transmission Reliability Margin Calculation
Methodology MOD-010-0 Steady-State Data for Modeling and Simulation of the
Interconnected Transmission System MOD-012-0 Dynamics Data for Modeling and Simulation of the
Interconnected Transmission System MOD-016-1.1 Documentation of Data Reporting Requirements for
Actual and Forecast Demands, Net energy for Load, and Controllable Demand-Side Management
MOD-017-0.1 Aggregated Actual and Forecast Demands and Net Energy for Load
MOD-018-0 Treatment of Nonmember Demand Data and How Uncertainties are Addressed in the Forecasts of Demand and Net Energy for Load
MOD-019-0.1 Reporting of Interruptible Demands and Direct Control Load Management
MOD-020-0 Providing Interruptible Demands and Direct Control Load Management Data to System Operators and Reliability Coordinators
7
MOD-021-1 Documentation of the Accounting Methodology for the Effects of Demand-Side Management in Demand and Energy Forecasts
MOD-025-2 Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability
MOD-026-1 Verification of Models and Data for Generator Excitation Control System or Plant Volt/Var Control Functions
MOD-027-1 Verification of Models and Data for Turbine/Governor and Load Control or Active Power/Frequency Control Functions
MOD-028-2 Area Interchange Methodology MOD-029-1a Rated System Path Methodology MOD-030-2 Flowgate Methodology MOD-032-1 Data for Power System Modeling and Analysis NUC-001-3 Nuclear Plant Interface Coordination PER-001-0.2 Operating Personnel Responsibility and Authority PER-003-1 Operating Personnel Credentials PER-004-2 Reliability Coordination - Staffing PER-005-2 System Personnel Training PRC-001-1.1 System Protection Coordination PRC-002-2 Disturbance Monitoring and Reporting Requirements PRC-004-4(i) Analysis and Mitigation of Transmission and
Generation Protection System Misoperations PRC-005-6 Protection System, Automatic Reclosing, and Sudden
Pressure Relaying Maintenance PRC-006-1 Automatic Underfrequency Load Shedding PRC-008-0 Implementation and Documentation of Underfrequency
Load Shedding Equipment Maintenance Program PRC-010-0 Technical Assessment of the Design and Effectiveness
of Undervoltage Load Shedding Program PRC-011-0 Undervoltage Load Shedding System Maintenance and
Testing PRC-015-0 Special Protection System Data and Documentation PRC-016-0.1 Special Protection System Misoperations PRC-017-0 Special Protection System Maintenance and Testing PRC-018-1 Disturbance Monitoring Equipment Installation and
Data Reporting PRC-019-2 Coordination of Generating Unit or Plant Capabilities,
Voltage Regulating Controls, and Protection PRC-021-1 Under-Voltage Load Shedding Program Data PRC-022-1 Under-Voltage Load Shedding Program Performance
8
PRC-023-4 Transmission Relay Loadability PRC-024-2 Generator Frequency and Voltage Protective Relay
Settings PRC-025-1 Generator Relay Loadability TOP-001-3 Transmission Operations TOP-002-4 Operations Planning TOP-003-3 Planned Outage Coordination TOP-004-2 Transmission Operations TOP-005-2a Operational Reliability Information TOP-006-2 Monitoring System Conditions TOP-007-0 Reporting System Operating Limit (SOL) and
Interconnection Reliability Operating Limit (IROL) Violations
TOP-008-1 Response to Transmission Limit Violations TPL-001-4 Transmission System Planning Performance
Requirements TPL-002-0b System Performance Following Loss of a Single Bulk
Electric System Element (Category B) TPL-003-0b System Performance Following Loss of Two or More
Bulk Electric System Elements (Category C) TPL-004-0a System Performance Following Extreme Events
Resulting in the Loss of Two or More Bulk Electric System Elements (Category D)
TPL-007-1 R1 Transmission System Planned Performance for Geomagnetic Disturbance Events
VAR-001-4.1 Voltage and Reactive Control VAR-002-4 Generator Operation for Maintaining Network Voltage
Schedules CIP-002-5.1a R2 Cyber Security - BES Cyber System Categorization CIP-003-6 R2 Cyber Security - Security Management Controls CIP-004-6 R3,R4,R5 Cyber Security - Personnel & Training CIP-005-5 R1,R2 Cyber Security - Electronic Security Perimeter(s) CIP-006-6 R1,R2,R3 Cyber Security - Physical Security of BES Cyber
Systems CIP-007-6 R1,R2,R3,R4,R5 Cyber Security - Systems Security Management CIP-009-6 R1,R2 Cyber Security – Recovery Plans for BES Cyber
Systems CIP-010-2 R1,R2 Cyber Security - Configuration Change Management
and Vulnerability Assessments CIP-011-2 R1,R2 Cyber Security - Information Protection CIP-014-2 R1 Cyber Security - Physical Security
Non-Public and Confidential Date AO NAME AO Title Audit Entity ADDRESS AO E-mail Address Subject: Compliance Audit Letter Dear Entity Contact, Authorized Officer: Audit (hereinafter ) is scheduled to receive a Compliance Audit Audit Start Date to Audit End Date. The audit scope includes CIP, Operating, and Planning NERC Reliability Standards and is based on a reliability risk-based assessment conducted by MRO. 34T34T is listed on the NERC Compliance Registry and therefore is considered a bulk power owner, user, or operator in the United States and is subject to compliance audits under the Federal Power Act. As such, 34T34T is responsible for complying with applicable Reliability Standards to maintain and protect the reliability of the bulk power system. MRO will audit the records related to the applicable Reliability Standards. The objective of the compliance audit is to review evidence that provides reasonable assurance of compliance or findings related to the applicable Reliability Standards. At the conclusion of the compliance audit, an exit briefing will be provided to discuss the compliance audit results and the timing of the audit report. The compliance audit is conducted in accordance with the Compliance Monitoring and Enforcement Program (CMEP) and applicable NERC Rules of Procedure approved by the applicable regulator (in the United States, the Federal Energy Regulatory Commission). In order to complete the compliance audit, and to do so efficiently, unrestricted access to applicable documents and individuals within 34T34T is required. MRO will make requests of such information within a reasonable time before the commencement of the compliance audit. Any information considered “Confidential Information” will be treated accordingly under the NERC Rules of Procedure, Section 1500. 34T34T is responsible for making available all applicable records and related information and for the accuracy and completeness of that information. In addition, 34T34T warrants that the information, statements, including questionnaires completed by 34T34T, and records provided in the course of the compliance audit are true and correct as of the date of the compliance audit completion or the final resolution of any possible violation found during the compliance audit.
If a possible violation is discovered, MRO will discuss the matter with 34T34T in advance and provide the Primary Compliance Contact of 34T34T with a written notice of the possible violation within a reasonable time that shall include the due process protections under the CMEP.
MRO requires certification of certain information that 34T34T provides to MRO in the conduct of a compliance audit. Please sign the certification attached, as the applicable authorized officer of 34T34T, and return the original signed certification to MRO. In addition, MRO will provide your Primary Compliance Contact, under a separate mailing, with other information to assist in the completion of the compliance audit. MRO will advise 34T34T of any additional information required to conduct the compliance audit that requires your certification.
Thank you for your attention to this matter, and please contact me with any questions that you may have.
Respectfully submitted,
Sara E. Patrick Vice President of Compliance Monitoring and Regulatory Affairs
CC: 34T34T Primary Compliance Contact – PCC NAME NERC Audit Team
C E R T I F I C A T I O N
I, , certify that I am of 34T34T;
that I am authorized to execute this Certification on behalf of 34T34T; that I am familiar with
34T34T’s responses to the compliance notification, requests for information, RSAWs, and other
information included to supplement such responses provided to MRO in connection with the
compliance audit of 34T34T; that, to the best of my information, knowledge and belief, the
statements and supporting documents included in this response and appended to this certification
are true and correct as of the date of signing and will be updated on a continuing basis until final
resolution of the audit.
Signature Name and Title
34T34T Address Address Telephone and Fax e-mail
Date
1 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 1-1 Request C-001
CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2
R1R2-R5R1-R2
R1R1-R5R1-R2R1-R3
BES Cyber System Categorization
Provide your current Facility Verification form (or any other documentation you already have) updated to identify the following:1) Which BES Assets have High Impact BES Cyber System(s). For each High Impact BES Cyber System, list: a) The name/unique identifier of the BES Cyber System b) The location of the BES Cyber System c) The function/type of operation it performs d) The number of cyber assets that are within it e) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations2) Which BES Assets have Medium Impact BES Cyber System(s). For each Medium Impact BES Cyber System, list: a) The name/unique identifier of the BES Cyber System b) The location of the BES Cyber System c) The function/type of operation it performs d) The number of cyber assets that are within it e) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-002 CIP-006-6 R1 - R3Designated Physical
Security Perimeters (PSPs)
Provide a complete listing of ALL Physical Security Perimeters (PSPs). We request this list to be provided in MS Excel format. Furthermore, for each PSP, we request the Excel spreadsheet include (at a minimum) the following information:- Name or other unique identifier- Physical Location/Address- List of access points at each PSP- Highest Impact Rating for BCA's inside the PSP (High or Medium)
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-003 CIP-004-6 R2-R5Designated storage
locations for BES Cyber System Information
Provide a complete listing of ALL Designated BCS Information Storage Locations. We request this list to be provided in MS Excel format and include (at a minimum) the following information: - Name or other unique identifier - Location (electronic location or physical address) - Whether location is a physical or electronic location
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-004CIP-008-5CIP-003-6
R2-R3R2
Cyber Security Incident Response Plan Tests
Provide a complete listing of tests performed during the audit period of the Cyber Security Incident Response plan as well as any actual cyber security incidents. We request this list to be provided in MS Excel format. Furthermore, for each test of the Cyber Security Incident Response plan and actual Cyber Security Incident, we request the Excel spreadsheet include (at a minimum) the following information: - Date of test - Event type (test or actual incident) - Brief description - Reportable incident? (Y/N) - Indicate whether the test was for a High/Medium facility or low impact asset
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-005 CIP-011-2 R2Reuse or Disposal of BES
Cyber Assets
Provide a complete listing of high/medium BES Cyber Assets that have been released for reuse or disposal. We request this list to be provided in MS Excel format. Furthermore, for each asset, we request the Excel spreadsheet include (at a minimum) the following information:- Asset ID- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Status (Released for Reuse or Disposal)- Date Released (if applicable)- Date Disposed (if applicable)
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-3 Request C-006 CIP-014-2 R1-R6 Substation Review
Please provide a complete listing of all substations that meet the criteria defined in 4.1.1 of the Applicability section in R1, including (at a minimum):- Substation name- Impact Rating (High or Medium)- Criteria met in CIP-014-2 Applicability Section 4.1.1- Whether the substation a jointly owned facility (Y/N)- Compliance owner of the facility (if a jointly owned facility)
Please be aware that for planning purposes a phone interview may be discussed to have this list provided prior to the onsite audit.
Notification Packet
## Notification Date ##Please provide during onsite
portion of audit
- Unless otherwise specified in the request, please provide original, un-redacted and un-combined, copies in MS Word format or the 'native' format for the requested item(s).NOTE: Request #s: "0XX" are Populations requests from Notification Packet; "1XX" are non-population request from Notification Packet;
Instructions:- Please provide your documentation as requested and reference the 'request number' in all communications. Please keep original file names intact. - Please place all documents for a given request into a folder with the request number as its name.- Electronic documentation is required for all data submittals.- For those RFIs that indicate "applies to samples selected" this means that evidence is being requested for only those devices that are included in the sample set. - For those RFIs requesting information for something that is not applicable to the entity, please just indicate that in the response to the RFI
2 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 1-1 Request C-007 CIP-010-2 R4Transient Cyber Assets
managed by Responsible Entity
Please provide a complete listing of all Transient Cyber Asset(s) (TCAs) managed by the Responsible Entity. We request this list to be provided in MS Excel format. Furthermore, for each TCA, include (at a minimum) the following information:- Transient Cyber Asset ID- Transient Cyber Asset management Type (on-going or on-demand)- Transient Cyber Asset Description- Connection date(s)- Which Plan(s) the TCA is linked to- Cyber Asset connected to
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-008 CIP-010-2 R4Transient Cyber Asset(s) managed by other party
Please provide a complete listing of all Transient Cyber Asset(s) (TCAs) managed by another party. We request this list to be provided in MS Excel format. Furthermore, for each TCA, include (at a minimum) the following information:- Transient Cyber Asset ID- Managing party name- Transient Cyber Asset Description- Access date(s)- Cyber Asset connected to
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-009 CIP-010-2 R4 Removable Media
Please provide a complete listing of all Removable Media that is approved for use. We request this to be provided in MS Excel format. Furthermore, for each piece of removable media, include (at a minimum) the following information:- Removable Media ID- Date(s) of connection- ID of the Cyber Asset to which it was connected- Description of use
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-1 Request C-010 CIP-002-5.1 R1 Assets containing LIBCS
Please provide information showing the following:1) Which BES Assets have Low Impact BES Cyber System(s). For each asset containing a LIBCS, list: a) The name/unique identifier of the asset(s) b) The location of the asset(s) c) The function/type of operation it performs d) Whether there is an electronic access point identified e) Whether there is Dial-up connectivity to the asset(s) f) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations 2) If explicit lists are required by asset, a list of the explicit LIBCS a) The name/unique identifier of the LIBCS b) The location of the LIBCS c) The function/type of operation it performs d) Whether there is an electronic access point identified e) Whether there is Dial-up connectivity to the LIBCS f) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations
Notification Packet
## Notification Date ##
## 15 calendar days after
notification packet sent ##
Round 1-2 Request C-100 CIP-002-5.1 R1BES Cyber System
Categorization
Please provide documentation of the process followed to assign asset impact ratings for BES assets as well as BES Cyber Systems at those facilities. Please include evidence for the current version of each document/list.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-101 CIP-002-5.1 R2Evidence of Review and Approval of BES Cyber
Systems
Please provide evidence demonstrating the review and CIP Senior Manager, or delegate, approval at least once every 15 calendar months of the impact rating identifications in Requirement R1 and its parts (even if it has no identified items from Requirement R1).
Please also provide evidence demonstrating the identification of the CIP Senior Manager, or delegate, that was effective at the time of the approval(s).
Please include evidence for the current version of each document/list.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-102 CIP-003-6 R1 Cyber Security Policy
Please provide documentation comprising the cyber security policies for the high, medium, and low impact BES Cyber Systems. Please include the current version of the policy or policies. Any referenced documents that have not already been provided in response to this or other document requests must also be included.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-103 CIP-003-6 R1Evidence of Cyber Security Policy Annual Review and
Approval
Please provide evidence demonstrating the review and CIP Senior Manager approval of all cyber security policies at least once every 15 calendar months. Please include evidence for the current version of each document.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-104 CIP-003-6 R2Low Impact BES Cyber Systems (LIBCS) cyber
security plan(s)
Please provide the cyber security plan document(s) for low impact BES Cyber Systems.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-105 CIP-003-6 R3Identification of CIP Senior
Manager
Please provide dated evidence supporting the identification of the CIP Senior Manager effective at all times during the compliance monitoring period.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-106 CIP-003-6 R4Delegation of Senior Manager Authority
Please provide evidence supporting the delegation of any CIP Senior Manager's authority to include, name or title of the delegate, specific actions delegated, and the date of the delegations effective at any time during the compliance monitoring period.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
3 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 1-2 Request C-107 CIP-004-6 R1Security Awareness
Program Documentation
Please provide documented process(es) describing the security awareness program.
Please include the current version of any program documentation. Any referenced documents that have not already been provided in response to this or other document requests must also be included.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-108 CIP-004-6 R1.1.1Security Awareness
Program Documentation
Please provide documentation of the quarterly reinforcement materials provided to personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-109 CIP-004-6 R2Cyber Security Training
Program Documentation
Please provide documentation describing the cyber security training program.
Please include the current version of any program documentation. Any referenced documents that have not already been provided in response to this or other document requests must also be included.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-110 CIP-004-6 R2.2.1Cyber Security Training
Materials
Please provide copies of cyber security training materials. Please include the current version of any training materials. Any referenced documents that have not already been provided in response to this or other document requests must also be included.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-111 CIP-004-6 R3Personnel Risk
Assessment Program Documentation
Please provide documentation describing the personnel risk assessment program established to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems. Please include the current version of the documentation.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-112 CIP-004-6 R4Access Management
Program - Authorization Process
Please provide documentation describing the access management program that authorizes electronic access, unescorted physical access into a Physical Security Perimeter, and access to designated storage locations, whether physical or electronic, for BES Cyber System Information. Please include the current version of the documentation.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-113 CIP-004-6 R4.4.2Access Management Program - Quarterly
Verification
Please provide documentation of each calendar quarter review of individuals with active electronic access or unescorted physical access to applicable BES Cyber Systems. Please include the current version and the last three quarterly reviews during the compliance monitoring period.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-114 CIP-004-6 R4.4.3Access Management
Program - Privilege Review
Please provide documentation of verification that user accounts, user account groups, or user role categories, and their specific, associated privileges are correct and are those that the Responsible Entity determines are necessary that are verified every 15 calendar months. Please include the current version of the documentation.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-115 CIP-004-6 R4.4.4
Access Management Program - Privilege Review - BCS Information storage
locations
Please provide documentation that verifies at least once every 15 calendar months that access to the designated storage locations for BES Cyber System Information, whether physical or electronic, are correct and are those that the Responsible Entity determines are necessary for performing assigned work functions.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-116 CIP-004-6 R5 Access Revocation Please provide documentation describing the access revocation program.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-117 CIP-005-5 R1Electronic Security
Perimeter (ESP)
Please provide documented process(es) related to the Electronic Security Perimeters (ESPs). Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-119 CIP-005-5 R2Interactive Remote Access
Management
Please provide documented process(es) related to Interactive Remote Access management.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-120 CIP-006-6 R1 Physical Security PlanPlease provide all documented physical security plans and PSP diagrams.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-121 CIP-006-6 R2 Visitor Control ProgramPlease provide all documented visitor control programs.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-122 CIP-006-6 R3PACS Maintenance and
Testing
Please provide all documented Physical Access Control Systems maintenance and testing programs. Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-123 CIP-007-6 R1Ports andServices
Please provide documented process(es) used to manage ports and services. Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-124 CIP-007-6 R2Security Patch Management
Please provide documented process(es) describing security patch management.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-125 CIP-007-6 R3Malicious Code
Prevention
Please provide documented process(es) describing malicious code prevention.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-126 CIP-007-6 R4 Security Event MonitoringPlease provide documented process(es) describing security event monitoring.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-127 CIP-007-6 R5 System Access ControlsPlease provide documented process(es) used to control system access.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-128 CIP-008-5 R1Cyber Security Incident
Response Plan Specifications
Please provide documented process(es) describing the Cyber Security Incident response plan specifications.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
4 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 1-2 Request C-129 CIP-008-5 R2
Cyber Security Incident Response Plan
Implementation and Testing
Please provide documented process(es) describing the implementation and testing of Cyber Security Incident response plan(s). Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-130 CIP-008-5 R3
Cyber Security Incident Response Plan Review,
Update, andCommunication
Please provide documented process(es) describing the review, update, and communication of Cyber Security Incident response plan(s). Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-131 CIP-009-6 R1Recovery Plan Specifications
Please provide documented process(es) describing the recovery plan specifications.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-132 CIP-009-6 R2Recovery Plan
Implementation and Testing
Please provide documented process(es) describing the implementation and testing of recovery plan(s). Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-133 CIP-009-6 R3Recovery Plan Review,
Update and Communication
Please provide documented plan(s) describing the review, update, and communication of recovery plan(s). Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-134 CIP-010-2 R1Configuration Change
Management
Please provide documented process(es) describing configuration change management.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-135 CIP-010-2 R2 Configuration MonitoringPlease provide documented process(es) describing configuration monitoring.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-136 CIP-010-2 R3 Vulnerability AssessmentsPlease provide documented process(es) describing vulnerability assessments.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-137 CIP-011-2 R1 Information ProtectionPlease provide documented procedure(s) for identifying, protecting, and securely handling BES Cyber System Information.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-138 CIP-010-2 R4Transient Cyber Assets and Removable Media
plans
Please provide documentation for the documented plan(s) for Transient Cyber Assets and Removable Media that include the sections in CIP-010-2 Attachment 1.
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-139 CIP-011-2 R2BES Cyber Asset Reuse
and Disposal
Please provide documentation describing the BES Cyber Asset Reuse and Disposal processes.Notification
Packet## Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 1-2 Request C-140 CIP-006-6 R1.1.10
Cabling and nonprogrammable
communication components
Please provide evidence of physical access restriction to cabling and other nonprogrammable communication components used for connection between applicable Cyber Assets within the same Electronic Security Perimeter in those instances when such cabling and components are located outside of a Physical Security Perimeter.If no physical access restrictions are implemented, please provide documentation describing:- encryption of data that transits such cabling and components; or- monitoring the status of the communication link composed of such cabling and components that includes system generated evidence of any alarms/alerts received and dated (including time) notification being sent to personnel identified in the BES Cyber Security Incident response plan; or- an equally effective logical protection
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 1-2 Request C-141 CIP-005-5 R1Network Device
Configuration Files
Please provide the raw configuration files for each electronic access point protecting defined ESPs. Additionally, please provide any router and switch raw configurations internal to those ESPs, where available (Managed switches using configuration files - this does not apply to unmanaged switches). Passwords, assymmetric and symmetric keys need to be redacted where applicable. Please do not PDF the files.
Configurations for devices should be obtained using the commands for supported devices at referenced at: http://www.network-perception.com/supported-devices/
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
TFEs C-TFE N/A N/ATechnical Feasibility
Exceptions (TFEs)
For each of the approved TFEs listed below, please provide evidence to support the implementation of the compensating measures and ongoing research towards achieving strict compliance as required:yyyy-MRO-TFE#####-A#
Also, please provide a list of which assets specifically tie to each TFE. Within the list please provide the following:- Asset ID- Manufacturer- Model- Serial #- Associated TFE Number
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
5 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 2 Request C-200
CIP-002-5.1CIP-004-6CIP-005-5CIP-007-6CIP-009-6CIP-010-2
R1R2-R5R1-R2R1-R5R1-R3R1-R3
High Impact BES Cyber Systems (HIBCS)
For each sampled High Impact BES Cyber System provide a complete listing of all BES Cyber Assets (BCAs) within it, including the following details for each BCA:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP Identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Contains an Electronic Access Point (EAP) interface?- Hypervisor/VM host Asset id (if applicable)- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": - C-001 - BES Cyber System Categorization (High)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
Round 2 Request C-201
CIP-002-5.1CIP-004-6CIP-005-5CIP-007-6CIP-009-6CIP-010-2
R1R2-R5R1-R2R1-R5R1-R3R1, R3
Medium Impact BES Cyber Systems (MIBCS)
For each sampled Medium Impact BES Cyber System provide a complete listing of all BES Cyber Assets (BCA) within it including identifing the following for each BCA:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Contains an Electronic Access Point (EAP) interface?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
Round 2 Request C-202CIP-002-5.1CIP-003-6
R1.1.3R2
Low Impact BES Cyber Systems (LIBCS)
For each sampled asset containing a Low Impact BES Cyber System or explicitly listed LIBCS provide a complete listing of the following:- Electronic Access Point or Dial-up Connectivity Asset id/hostname, if applicable- Device type (Server, Router, Workstation, Switch, etc.)- PSP location- ESP location- Whether device has Dial-up capability
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-010 - Assets containing LIBCS
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
Round 2 Request C-203
CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2
R1R2-R5
R1R1
R1-R5R1-R3R1-R3
HIBCS - EACMS
Provide a complete listing of all Electronic Access Control and Monitoring Systems (EACMS) associated with each sampled High Impact BES Cyber System, including the following details for each:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
6 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 2 Request C-204
CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2
R1R2-R5
R1R1
R1-R5R1-R3R1-R3
MIBCS - EACMS
Provide a complete listing of all Electronic Access Control and Monitoring Systems (EACMS) associated with each sampled Medium Impact BES Cyber System, including the following for each:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Contains an Electronic Access Point (EAP) interface?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Serves as an Intermediate System?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
Round 2 Request C-205
CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2
R1R2-R5
R1R1
R1-R5R1-R3R1, R3
HIBCS - PACS
Provide a complete listing of all Physical Access Control Systems (PACS) associated with each sampled High Impact BES Cyber System , along with the following for each PACS:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": - C-001 - BES Cyber System Categorization (High)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
7 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 2 Request C-206
CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2
R1R2-R5
R1R1
R1-R5R1-R3R1, R3
MIBCS - PACS
Provide a complete listing of all Physical Access Control Systems (PACS) associated with each sampled Medium Impact BES Cyber System, including the following for each:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
Round 2 Request C-207
CIP-002-5.1CIP-005-5CIP-007-6CIP-010-2
R1R1-R2R1-R5R1-R3
HIBCS - PCA
Provide a complete listing of all Protected Cyber Assets (PCA) associated with each sampled High Impact BES Cyber System, including the following for each: - Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": - C-001 - BES Cyber System Categorization (High)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
Round 2 Request C-208
CIP-002-5.1CIP-005-5CIP-007-6CIP-010-2
R1R1-R2R1-R5R1, R3
MIBCS - PCA
Provide a complete listing of all Protected Cyber Assets (PCA) associated with each sampled Medium Impact BES Cyber System, including the following for each: - Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)
CIP Team## Three weeks after Notification Date ##
## Five weeks after Notification
Date ##
8 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-300 CIP-004-6 R2-R5 Individuals with BES Cyber
System Access
Provide a complete listing of ALL employees and contractors who are currently authorized for electronic access and/or unescorted physical access to the sampled assets referenced below. We request this list to be provided in MS Excel format. Furthermore, for each individual, we request the Excel spreadsheet include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title- Date when unescorted physical access was authorized if applicable- Date when electronic access was authorized if applicable
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS with External Routable Connectivity)- C-203 - HIBCS-EACMS- C-204 - MIBCS-EACMS (with External Routable Connectivity)- C-205 - HIBCS-PACS- C-206 - MIBCS-PACS (with External Routable Connectivity)
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
Round 3 Request C-301 CIP-004-6 R2-R5
Individuals with access to designated storage locations for BCS
Information
Provide a complete listing of ALL employees and contractors who are currently authorized electronic and/or physical access BES Cyber Systems Information Storage locations. We request this list to be provided in MS Excel format. Furthermore, for each individual, we request the Excel spreadsheet include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title- Date when access to storage location(s) was authorized- Impact rating associated with the BCS Information Storage Locations
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-003 - Designated storage locations for BES Cyber System Information
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
Round 3 Request C-302 CIP-004-6 R2-R5 Access Revocation
Provide a complete listing of ALL employees and contractors whose Electronic Access, unescorted physical access, and/or access to BES Cyber Systems Information Storage locations was revoked during the audit period. We request this list to be provided in MS Excel format and include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title- Revocation for termination or reassignment/transfer (if appropriate) - BCS(s) where unescorted physical access has been authorized - Date on which physical access was revoked (if appropriate)- BCS(s) where electronic access has been authorized- Date on which electronic access was revoked (if appropriate)- Access to BCS(s) storage location information has been authorized - Date on which electronic storage access was revoked (if appropriate)
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
9 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-303 CIP-010-2 R1BES Cyber System
Baseline Configurations
For each device selected in the sample, please provide the established manual or system generated baseline configuration(s) for each device (generated no more than 30 days prior to the date of this request) for the audit period.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-304 CIP-010-2 R1.1.2-1.1.5BES Cyber System
Changes
For each device selected in the sample, please provide a system generated list of all baseline changes made to the device (generated no more than 30 days prior to the date of this request) for the audit period. If the sample list of changes is null (empty), please provide additional evidence corroborating this fact.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
Round 3 Request C-305 CIP-010-2 R2.2.1Configuration Change
Management
For each device in the sample, please provide documentation of the baseline configuration monitoring that occurs at least every 35 calendar days and documentation on any unauthorized changes.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS - EACMS- C-207 - HIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-306 CIP-005-5 R1Electronic Security
Perimeter (ESP)
For each EACMS with an electronic access point interface selected in the sample, please provide complete system-generated evidence, (generated no more than 30 days prior to the date of this request) demonstrating inbound and outbound access permissions to include the reason for granting access to the ESP as well as deny by default configuration.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-203 - HIBCS-EACMS- C-204 - MIBCS - EACMS
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-307 CIP-005-5 R1.1.4Electronic Security
Perimeter (ESP) Dial Up Connectivity
For each device selected in the sample, please provide complete system-generated evidence, e.g. device screenshot, etc. (generated no more than 30 days prior to the date of this request) of the authentication performed to establish dial up connectivity.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (with dial-up connectivity)- C-201 - Medium Impact BES Cyber Systems (with dial-up connectivity)- C-207 - HIBCS-PCA (with dial-up connectivity)- C-208 - MIBCS-PCA (with dial-up connectivity)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-308 CIP-005-5 R1.1.5Electronic Security
Perimeter (ESP) Malicious Communications
For each EACMS with an Electronic Access Point interface selected in the sample, please provide complete system-generated evidence, (generated no more than 30 days prior to the date of this request) on methods used in detecting known or suspected malicious communications for both inbound and outbound communication. If a malicious test file is available for testing automated solutions, please provide system-generated evidence showing the results of using the test file.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-203 - HIBCS-EACMS- C-204 - MIBCS-EACMS (at Control Centers)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
10 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-309 CIP-005-5 R2.2.2-2.2.3Electronic Security
Perimeter (ESP) Interactive Remote Access
For each device selected in the sample please provide complete system-generated evidence, (generated no more than 30 days prior to the date of this request) on encryption and multi-factor authentication methods used for interactive remote access sessions (including vendor access sessions). Vendor documentation for automated methods as supplemental material is also welcome.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-310 CIP-006-6 R1PSP's Associated with BES
Cyber Systems
For each of the PSP access points selected in the sample, please provide evidence of all physical access controls in place to allow unescorted physical access to only those authorized individuals.
This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-002 - Designated Physical Security Perimeters (PSPs)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-311 CIP-006-6R1.1.4-1.1.5,1.1.8-1.1.9
Physical Security Perimeter Access Point Monitoring and Logging
For each of the PSP access points selected in the sample, please provide evidence of the following:- Logging of authorized access- Monitoring for unauthorized access into the PSP - Alarms or alerts issued for detected unauthorized access, including time of detected unauthorized access and time of alert being sent to personnel identified in the BES Cyber Security Incident response plan- Retention of physical access logs for the past 90 days
This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-002 - Designated Physical Security Perimeters (PSPs)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-312 CIP-006-6 R1.1.6-1.1.7Physical Access Control System Monitoring and
Logging
For each of the PACS devices selected in the sample, please provide evidence of the following:- Monitoring for unauthorized physical access to the Physical Access Control System- Alarms or alerts issued for detected unauthorized access within 15 minutes of detection to the personnel identified in the BES Cyber Security Incident response plan
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-313 CIP-006-6 R2.2.2-2.2.3 Visitor Control Program
For each PSP access point selected in the sample, please provide evidence of the following:- Logging of visitor access- Retention of visitor access logs for the past 90 days
This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-002 - Designated Physical Security Perimeters (PSPs)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-314 CIP-006-6 R3.3.1Maintenance and Testing
Program
For each device selected in the sample, please provide evidence of testing and/or maintenance related to Physical Access Control Systems and locally mounted hardware and devices associated with the access point(s) performed once every 24 months.
This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-315 CIP-007-6 R1.1.1Ports andServices
For each device selected in the sample, please provide documentation of the ports and services deemed needed by the entity. We request this in MS Excel format, if possible.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
11 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-316 CIP-007-6 R1.1.1Enabled Ports and
Services
For each device selected in the sample, please provide a system-generated list (this list is to be generated no more than 30 days prior to the date of this request) of all logical enabled ports and services, including date generated and the method by which it was generated. We request this in MS Excel format, if possible.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-317 CIP-007-6 R2.2.1-2.2.4 Security Patch Availability
For each device selected in the sample, please provide the source(s) for cyber security patches. Provide a list of security patches released for each device during the audit period, including the date of the availability from the source(s) as well as the date the patches were assessed. (This list is to be generated no more than 35 days prior to the due date of this request) The expectation is that the list explicitly links each specific patch to each specific device.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
Round 3 Request C-318 CIP-011-2 R1.1.1-1.1.2Information Protection -
Secure Handling
Please provide records indicating that BES Cyber System Information is handled in a manner consistent with the entity’s documented procedure(s). Include examples that demonstrate security storage, transit, and use where applicable. Provide information related to each sampled Cyber Asset from the "## Sample Worksheet Filename ##". Provide how this information is protected from vendors, lineman working/configuring relays (if applicable).
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS
CIP Team ## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 3 Request C-319 CIP-007-6 R3.3.1-3.3.3Malicious Code
Prevention
For each device selected in the sample, please provide system-generated evidence (this list is to be generated no more than 30 days prior to the date of this request) demonstrating that malware deterrent, detection or prevention tools are deployed and that threats of detected malicious code are mitigated. If automated software provides a test file, a sample test using the file would be requested.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": C 200 Hi h I t BES C b S t (HIBCS)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-320 CIP-007-6 R3Signature and Pattern
Updates - Malware Code Prevention
For the devices selected in the sample whose malicious code prevention methods use signatures or patterns, please provide evidence demonstrating the updating and testing of those signatures or patterns.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
12 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-321 CIP-007-6R4.4.1R4.4.3R5.5.7
Security Event Logs
For each BES Cyber System or at the Cyber Asset selected in the sample, please provide evidence of security event logs of relevant events, referenced in CIP-007 R4.1 (per Cyber Asset or Cyber System capability) or CIP-007 R4.3 (where technically feasible), for the past 90 days.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-322 CIP-007-6 R4.4.2 Security Event Alerts
For each BES Cyber System or at the Cyber Asset selected in the sample, please provide evidence of security alerts as referenced in CIP-007 R4.2 (per Cyber Asset or BES Cyber System capability) during the monitoring period since July 1, 2016. Please provide evidence of incapability of the device to support security alerts, if applicable.
This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-323 CIP-007-6 R4.4.4 Review of Security Events
For each BES Cyber System or at the Cyber Asset selected in the sample, please provide evidence of the review of summarized or sampled logged events for the purpose of identifying undetected Cyber Security Incidents for the previous six months.
This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS - EACMS- C-207 - HIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-324 CIP-007-6 R5.5.1 System Access Controls
For each BES Cyber System or at the Cyber Asset selected in the sample and where technically feasible, please provide system generated evidence that authentication enforcement for interactive user access (both local and remote, if applicable) is in place.
This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at a Control Center or with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at a Control Center or with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at a Control Center or with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (at a Control Center or with ERC)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-325 CIP-007-6R5.5.2R5.5.4
Generic or Default Accounts
For each BES Cyber System or at the Cyber Asset selected in the sample, please provide system generated evidence showing all known enabled generic or default accounts. Ensure to include any domain accounts, if applicable.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
13 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-326 CIP-007-6 R5.5.3 Shared Account Access
For all enabled shared accounts that exist on each device in the sample, please provide an inventory of all individuals with authorized access to those accounts.We request this list to be provided in MS Excel format and include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title
This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
Round 3 Request C-327 CIP-007-6 R5.5.5-5.5.7Device Password
Restrictions
For each device selected in the sample, please provide system-generated evidence (generated no more than 30 days prior to the date of this request) showing the password requirement settings on each device, including minimum length, complexity requirements, password age (including system-generated dated evidence of when the password was changed for all accounts), and unsuccessful attempts threshold or alerts generated from unsuccessful authentication attempts, where required. If no technical requirements can be provided, please provide evidence of how each device has password requirements handled procedurally.
This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-328 CIP-008-5 R2
Cyber Security Incident Response Plan
Implementation and Testing
For each response plan test selected in the sample, please provide all documentation associated with the test.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-004 - Cyber Security Incident Response Plan Tests
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-329 CIP-008-5 R3.3.1-3.3.2
Cyber Security Incident Response Plan Review,
Update, andCommunication
For each incident response plan test selected in the sample, please provide dated documentation of the following: - Lessons learned or the absence of lessons learned,- Cyber Security Incident response plan updates that occurred as a result of lessons learned (within 90 calendar days of the response plan test or actual incident) or changes to the roles and responsibilities (within 60 calendar days of changes to individuals or technology impacting execution of the plan).- Notification of the incident response plan updates to individuals with a defined role in the Cyber Security Incident response plan.
This request applies to samples selected from the following population, in the file "## Sample Worksheet Filename ##.":- C-004 - Cyber Security Incident Response Plan Tests
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-330 CIP-009-6 R1.1.4Successful Backup
Verification
For each device in the sample, please provide documentation verifying successful completion, within the last 15 calendar months, of the backup processes in Part 1.3 and to address any backup failures.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at Control Centers)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at Control Centers)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at Control Centers)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
14 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-331 CIP-009-6R2.2.1
R3.3.1-3.3.2Recovery Plan Testing
For each device in the sample, please provide evidence of the annual recovery plan test. A test of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident. Please include any lessons learned and provide the updated plans as well as notifications of the updates made with appropriate dates.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at Control Centers)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at Control Centers)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at Control Centers)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-332 CIP-009-6 R2.2.2BES Cyber System
recovery information testing
For each representative test in the sample, please provide evidence of the annual recovery plan test ensuring that the information used to recover the BES Cyber System functionality is usable and compatible with the current configurations.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at Control Centers)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at Control Centers)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at Control Centers)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-333 CIP-009-6 R2.2.3High Impact BES Cyber System recovery plan
testing
For each device in the sample, please provide evidence of the recovery plan test(s) that were performed through an operational exercise in an environment representative of the production environment during the monitoring period.
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-334 CIP-010-2 R3.3.1 - R3.3.4Periodic Vulnerability
Assessments
Please provide evidence of the 15-month periodic vulnerability assessments (VAs). For each VA, documentation must include the following information:- Date(s) on which the VA for each sampled device (or for the BES Cyber System in which the device resides) was both initiated and completed. Ensure that the evidence for the tests performed includes the following considerations: a. Network port and service identification b. Vulnerability review or scanning c. Wireless review or scanning- Documentation of the results and review of the assessments conducted according to Part 3.1- Documentation of any action plans to remediate or mitigate all vulnerabilities identified in the assessment and the execution status of that action plan
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
15 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-335 CIP-010-2 R3.3.2 - R3.3.4Periodic Active
Vulnerability Assessments
Please provide evidence of the 36-month periodic active vulnerability assessments (VAs). For each active VA, documentation must include the following information:- Date(s) on which the VA for each sampled device (or for the BES Cyber System in which the device resides) was both initiated and completed. Ensure that the evidence for the test(s) performed includes the following considerations: a. Network port and service identification b. Vulnerability scanning c. Wireless scanning- Any testing and production environment differences including a description of the measures used to account for those differences- Documentation of the results of the assessment and testing conducted according to Parts 3.2 and 3.3- Documentation of any action plans to remediate or mitigate all vulnerabilities identified in the assessment and the execution status of that action plan
This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##." tabs:- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS-EACMS- C-207 - HIBCS-PCA
NOTE: Part 3.4 evidence for HIBCS PACS and all Medium impact BCS and associated assets is requested in C-334
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-336 CIP-010-2 R3.3.3New Cyber Asset
Vulnerability Assessments
Please provide evidence of the active vulnerability assessments performed on applicable Cyber Assets added to the production environment. For each active VA on newly added assets, documentation must include the following information:- Evidence of the test(s) performed- Documentation of the testing results - Documentation of any action plans to remediate or mitigate all vulnerabilities identified in the assessment and the execution status of that action plan.
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS - EACMS- C-207 - HIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-337 CIP-011-2 R2BES Cyber Asset Reuse
and Disposal
For each sampled Cyber Asset that was released for reuse or disposal, please provide the evidence of the actions taken to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset data storage media.
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-005 - Reuse or Disposal of BES Cyber Assets
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-338 CIP-014-2 R4-R5 Substation evaluation
Please provide dated documentation of substation evaluations identified in CIP-014-2 R1 and verified according to CIP-014-2 R2 as well as the physical security plan(s) created based on the evaluation. Include the following:- Date of assessment evaluation- Recommended changes from the assessment review (if applicable)
CIP Team ## Notification Date ##Please provide during onsite
portion of audit
Round 3 Request C-339 CIP-009-6 R1.1.5 Data Preservation
For each device in the sample, please provide documentation showing the cause of a Cyber Security Incident that triggered activation of the recovery plan(s), per Cyber Asset capability.
This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-340 CIP-014-2 R1-R3Substation Risk
Assessment
Please provide dated documentation of an initial risk and subsequent risk assessments of all owned Transmission stations/substations (existing and planned to be in service within 24 months) completed during the monitoring period. Please include the identification of the primary control center, notification(s) to the primary control center, and confirmation of the 3rd party risk assessment and results (including confirmation of 3rd party experience and nondisclosure agreements).
This request applies to samples to be selected during a SME interview to be scheduled by audit team at a future date.
CIP Team ## Notification Date ##Please provide during onsite
portion of audit
16 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-341 CIP-005-5 R1.1.1-1.1.2 Device Interface Output
For each device in the sample, please provide documentation showing all connection interfaces and the status of those interfaces (where available). Example output could be something similar to 'ipconfig /all' for Windows OS or 'ifconfig -a' for *nix OS. Please indicate information if information is not available for the device.
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-342 CIP-010-2 R4Handling of TCA managed
by Responsible Entity
For each Transient Cyber Asset in the sample, please provide documentation showing the following:- Role or group user authorization- Location authorization- Usage authorization- Handling of software vulnerability mitigation- Handling of malicious code mitigation- Handling of unauthorized use
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##":- C-007 - Transient Cyber Assets managed by Responsible Entity
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-343 CIP-010-2 R4Handling of TCA managed
by other party
For each Transient Cyber Asset in the sample, please provide documentation showing the following:- Handling of software vulnerability mitigation- Handling of malicious code mitigation- If additional mitigations were deemed necessary, information about additional mitigations that were used
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##":- C-008 - Transient Cyber Asset(s) managed by other party
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-344 CIP-010-2 R4Handling of Removable
Media
For each Removable Media in the sample, please provide documentation showing the following:- Role or group user authorization- Location authorization- System generated evidence showing method to detect malicious code on the removable media- If issue found on removable media, how mitigation of malicious code is handled
This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##":- C-009 - Removable Media
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-345 CIP-003-6 R2Cyber Security Awareness
Materials
Please provide the cyber security awareness materials provided to personnel who have access to assets containing low impact BES Cyber Systems. Include the dates of when the materials were provided. CIP Team
## Six weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-346 CIP-003-6 R2Cyber Security Incident
Response for LIBCS
For each incident response plan connected to a LIBCS test selected in the sample, please provide documentation of the following: - Testing of the Cyber Security Incident response plan at least once every 36 calendar months- Updating the Cyber Security Incident response plan (or indication that no updates are needed)
This request applies to LIBCS samples selected from the following population, in the file "## Sample Worksheet Filename ##.":- C-004 - Cyber Security Incident Response Plan Tests
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-347 CIP-003-6 R2Physical and Electronic
Controls for LIBCS
For each asset or LIBCS in the sample, please provide documentation showing the following:- Evidence of the implemented physical security control(s)- Evidence of the implemented electronic access control(s)- Description or diagram of the specific implementation of LEAP for the asset, if applicable- Description or diagram of the Dial-up Connectivity to the asset, if applicable- Inbound and outbound access permissions for each LEAP, if applicable- Documentation of the inbound and outbound access permissions, if applicable- Documentation of the capability or incapability for Dial-up Connectivity authentication, if applicable
This request applies to LIBCS samples selected from the following population, in the file "## Sample Worksheet Filename ##":- C-202 - Low Impact BES Cyber Systems (LIBCS)
CIP Team## Six weeks after
Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 3 Request C-348CIP-002-5.1CIP-014-2
R1R1
Substation onelinesPlease provide Transmission system maps that in the aggregate encompass all substation assets owned by Responsible Entity. CIP Team
## Six weeks after Notification Date ##
Please provide during onsite
portion of audit
17 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 3 Request C-349 CIP-014-2 R6 Third party evaluation
Please provide dated documentation of third party evaluations for CIP-014-2 R4 assessments and CIP-014-2 R5 plans. Ensure to include:- Third party reviewer credentials- Date of third party reviewer evaluation- Recommended changes from the third party review (if applicable)- Actions from recommend changes from third party review (if applicable)- Acceptance of non-disclosure agreements
CIP Team## Six weeks after
Notification Date ##
Please provide during onsite
portion of audit
Round 3 Request C-350 CIP-005-5 R1-R2 ESP Network Diagrams
Please provide network topology and/or network diagrams for all designated ESPs. Please include relationships between ESPs, if applicable.Documentation should include:- Identification of all Electronic Access Points- Identification of sampled Electronic Access Control and Monitoring Systems- Identification of sampled BES Cyber Systems with Dial-up Connectivity- Identification of all Intermediate Systems for Interactive Remote Access- Identification of devices in the following samples selected from the following populations: a. C-200 - HIBCS b. C-201 - MIBCS c. C-203 - HIBCS-EACMS d. C-204 - MIBCS-EACMS e. C-207 - HIBCS-PCA f. C-208 - MIBCS-PCA
Notification Packet
## Notification Date #### 15 calendar
days prior to audit onsite ##
Round 3 Request C-351 CIP-007-6R5.5.2R5.5.4
Inventory of Generic or Default Accounts
For each BES Cyber System or at the Cyber Asset selected in the sample, please provide the inventory of all known enabled generic or default accounts. Ensure to include any domain accounts, if applicable.
This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA
CIP Team## Six weeks after
Notification Date ##
## Eight weeks after Notification
Date ##
Round 4 Request C-400 CIP-004-6 R2 - R4
Cyber Security Training & Personnel Risk
Assessment Program Documentation
For each individual selected in the sample, please provide evidence and complete the spreadsheet columns completely.
This request applies to samples listed in Testing Tab A of the file "XXXX_CIPAudit_Testing Tab A & B.xlsx".
This request applies to samples selected from the following populations:- C-300 - Individuals with BES Cyber System Access- C-301 - Individuals with access to designated storage locations for BCS Information- C-302 - Access Revocation
CIP Team## Nine weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 4 Request C-401 CIP-004-6 R5 Access Revocation
For each individual selected in the sample, please provide evidence and complete the spreadsheet columns completely.
This request applies to samples listed in Testing Tab B of the file "XXXX_CIPAudit_Testing Tab A & B.xlsx".
This request applies to samples selected from the following populations:- C-301 - Individuals with access to designated storage locations for BCS Information- C-302 - Access Revocation
CIP Team## Nine weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 4 Request C-402 CIP-007-6 R5.5.3Shared Account Authorization
For each individual selected in the sample, please provide evidence of shared account access authorization.
This request applies to samples selected from the following populations, in the file "XXX_CIPAudit_SampleSelections.xlsx.":
- C-326 - Shared Account Access
CIP Team## Nine weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 4 Request C-403 CIP-007-6 R5.5.4 Default Password Change
For each sampled default account, please provide evidence that the default password was changed per Cyber Asset capability.
This request applies to samples selected from the following populations, in "XXX_CIPAudit_SampleSelections.xlsx.":
- C-325 - Generic or Default Accounts
CIP Team## Nine weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
18 of 18
Request # Round Request ID Standard RequirementDocument
Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status
Round 4 Request C-404 CIP-010-2R1.1.2R1.1.4
Configuration Change Testing
For each baseline configuration change in the sample, please provide documentation of the following:- Evidence of authorization for the change- Cyber security controls in CIP-005 and CIP-007 that could be impacted by the change- Verification that required cyber security controls determined in 1.4.1 are not adversely affected
This request applies to samples selected from the following populations, in the file "XXX_CIPAudit_SampleSelections.xlsx.":- C-304 - BES Cyber System Changes
CIP Team## Nine weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
Round 4 Request C-405 CIP-010-2 R1.1.2-1.1.3Baseline Configuration
Updates
For each baseline change in the sample, please provide a dated updated baseline configuration upon completion of the change, which shall include the following items:- Operating system(s) (including version) or firmware where no independent operating system exists;- Any commercially available or open-source application software (including version) intentionally installed;- Any custom software installed;- Any logical network accessible ports; - Any security patches applied;- Any authorized changes that deviate from the existing baseline configuration;- Baseline configuration update date
This request applies to samples selected from the following populations, in the file "XXX_CIPAudit_SampleSelections.xlsx.":- C-304 - BES Cyber System Changes
CIP Team## Nine weeks after Notification Date ##
## 15 calendar days prior to audit
onsite ##
Operations and Planning - Request for Information
Page 1 of 2 Ops Planning Reliability Standards RFI Spreadsheet.xlsx
Entity:Instructions:- Please provide your documentation as requested and reference the 'request number' in all communications. Please keep original file names intact. - Please place all documents for a given request into a folder with the request number as its name.- Electronic documentation is required for all data submittals.- Unless otherwise specified in the request, please provide original, un-redacted and un-combined, copies in MS Word format or the 'native' format for the requested item(s).NOTE: Request #s: "0X" are requests from Notification Packet; "1XX" are 1st round of sampling and sampling support; "2XX" are second round of sampling support; "3XX" are third round of sampling support; "4XX are fieldwork requests
Request # Std. Req. Description MRO Comments Requested by Registered Entity Comments Request Date Due Date Status
OP-01 FAC-008-3 6 To generate a specific random sample population Please provide a list, in Excel .xlsx format, of all of your BES Facilities and their associated ratings.
Notification Packet ## Notification Date ##
OP-02 PRC-005-634
Sample UFLS population
Please provide a list of feeders with UFLS circuits in MS Excel format. This list should include all UFLS circuits that are installed per the ERO underfrequency load-shedding requirements owned by the entity even if located in another entity's substation. For each feeder with a UFLS circuit, please indicate if it is either distributed or non-distributed.
Notification Packet ## Notification Date ##
OP-03 PRC-005-634
Sample UVLS population
Please provide a list of feeders with UVLS circuits in MS Excel format. This list should include all feeders with UVLS circuits that are installed to prevent system voltage collapse or voltage instability for BES reliability. For each feeder with a UVLS circuit, please indicate if it is either distributed or non-distributed.
Notification Packet ## Notification Date ##
OP-04 PRC-005-634
Description of Remedial Action Scheme(s)Please provide a written description and basic block diagram (including inputs and outputs) of your Remedial Action Scheme(s).
Notification Packet ## Notification Date ##
OP-05 PER-005-2123
Operating Training Program documentation Please provide a copy of your Operator Training Program document(s) Notification Packet ## Notification Date ##
OP-06 PER-005-2 1.33
To generate a specific random sample population
Please provide a list of all personnel performing the reliability-related taks of RC, BA, and TO employed from MM/DD/YYY to the end of the compliance monitoring period. Include all of the positions(s) the Operator qualified for, and identify the date(s) of each qualification.
Notification Packet ## Notification Date ##
OP-07 PER-005-2 1.33
To generate a specific random sample population Provide a list of BES company-specific Real-time reliability-related tasks for your RC, BA, and TOP personnel. Indicate if the task is new or has been modified since MM/DD/YYYY. Also, record the date that any new or modified task became effective.
Notification Packet ## Notification Date ##
OP-08 PRC-023-4 1 Sample population
Please provide a list including all applicable:4.2.1.1 Transmission lines operated at 200 kV and above.4.2.1.2 Transmission lines operated at 100 kV to 200 kV selected by the Planning Coordinator in accordance with R6.4.2.1.3 Transmission lines operated below 100 kV that are part of the BES and selected by the Planning Coordinator in accordance with R6.4.2.1.4 Transformers with low voltage terminals connected at 200 kV and above.4.2.1.5 Transformers with low voltage terminals connected at 100 kV to 200 kV selected by the Planning Coordinator in accordance with R6.4.2.1.6 Transformers with low voltage terminals connected below 100 kV that are part of the BES and selected by the Planning Coordinator in accordance with R6We request these list(s) to be provided in MS Excel format. Furthermore, for each facility, we request the MS Excel spreadsheet include (at a minimum) the following information: the facility’s name and rated voltage(s).
Notification Packet ## Notification Date ##
OP-18 PER-005-2 2 Sample population Please complete and return spreadsheet RFI OP-18 PER-005-2.xlsx. Notification Packet ## Notification Date ##
OP-19 PER-005-2 4 Sample population Please complete and return spreadsheet RFI OP-19 PER-005-2.xlsx. Notification Packet ## Notification Date ##
OP-20 PER-005-2 5 Sample population
1.Provide a list your operations support personnel employed from DD/MM/YYYY2. List the training developed for your operations support personnel, and the required periodicity of the training as established by your systematic approach.3. Return the above information to MRO
Notification Packet ## Notification Date ##
OP-21 PER-005-2 6 Sample population Please complete and return spreadsheet RFI OP-21 PER-005-2.xlsx. Notification Packet ## Notification Date ##
OP-100 FAC-008-3 6
Enter Entity Name Here
Operations and Planning - Request for Information
Page 2 of 2 Ops Planning Reliability Standards RFI Spreadsheet.xlsx
Request # Std. Req. Description MRO Comments Requested by Registered Entity Comments Request Date Due Date Status
OP-101 PRC-005-634
Sample population
Please use file OP-101 PRC-005.xlsx to list all BES protection system equipment for the facilities identified within this file. Include all applicable facilities as identified in Section 4.2 of the Standard. Also for RAS, include equipment for the redundant portion. Equipment may include relays, input sensing devices, communications, DC Control Circuitry, and station dc supply.
OP-102 PRC-005-634
Sample UFLS_UVLS populations
Please use file OP-102 PRC-005.xlsx to list all BES protection system equipment for the feeders identified within this file. Include all applicable facilities as identified in Section 4.2 of the Standard. Equipment is to include UFLS and UVLS relays , input sensing devices, DC Control Circuitry, and station dc supply.
OP-103 PER-005-2 2OP-104 PER-005-2 1OP-105 PER-005-2 3OP-106 PER-005-2 2.1
OP-200 FAC-008-3 6
OP-201 PRC-005-634
Maintenance and testing records Please follow instructions in RFI OP-201_PRC-005_TO_GO_RAS.xlsx
OP-202 PRC-005-634
Maintenance and testing records Please follow instructions in RFI OP-202_PRC-005_UFLS_UVLS.xlsx
ADD OP-210