audit notification letter - midwest reliability organizations audit... · 1 . delivery method: via...

31
1 Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit Notification Letter [Insert Date Here] Registered Entity Name Registered Entity Acronym NCR ID # (NERC Compliance Registry – NCR) Registered Entity Contact [Primary Contact] Registered Entity Address Compliance Audit Type [Operations & Planning and/or CIP] Audit Dates – on-site/off- site [If O&P and CIP audit periods dates are different - note both dates here] Audit Period (Monitoring Period) [Insert Dates] Registered Entity Functional Registration [Enter all functions that are applicable to registered entity] CFR’s or Delegation Agreement [Optional – delete if not used]

Upload: trinhphuc

Post on 06-Feb-2018

220 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

1

Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server

Confidential and Non-Public

Audit Notification Letter

[Insert Date Here]

Registered Entity Name

Registered Entity Acronym

NCR ID # (NERC Compliance Registry – NCR)

Registered Entity Contact

[Primary Contact]

Registered Entity Address

Compliance Audit Type

[Operations & Planning and/or CIP]

Audit Dates – on-site/off-site

[If O&P and CIP audit periods dates are different - note both dates here]

Audit Period (Monitoring Period)

[Insert Dates]

Registered Entity Functional Registration

[Enter all functions that are applicable to registered entity]

CFR’s or Delegation Agreement

[Optional – delete if not used]

Page 2: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

2

Dear PCC:

Entity Name (hereinafter Entity Acronym) NERC ID: (NCRXXXX) MRO (NCRXXXX) RF (NCRXXXX) SPP (NCRXXXX) TRE (NCRXXXX) WECC, etc.), is scheduled to receive a Compliance Audit from Month xx, 20xx, through Month xx, 20xx. The audit scope includes CIP, Operations, and Planning NERC Reliability Standards, and is based on a reliability risk-based assessment conducted by MRO in conjunction with/on behalf of itself and SPP, RF, TRE, WECC. The objective of the compliance audit is to review evidence that provides reasonable assurance of compliance or findings related to the applicable Reliability Standards. The Compliance Audit is conducted in accordance with the Compliance Monitoring and Enforcement Program (CMEP) and applicable NERC Rules of Procedure approved by the applicable regulator (in the United States, the Federal Energy Regulatory Commission).

The following personnel will be participating in the audit:

Audit Team Members and Participants Team Members/Participants CMEP Activity Role Region/Affiliation

Julie Sikes Audit Team Lead (ATL) MRO Jim Morales Auditor MRO Rafik Halim Auditor MRO Richard Samec Auditor MRO Jess Syring Auditor MRO Dave Taylor Auditor MRO Michael Taube Auditor MRO Sara Patrick Observer MRO

This audit will be conducted by all or some, of the audit team members in the table above. [Entity] may object to any member of the audit team on grounds of a conflict of interest or the existence of other circumstances that could interfere with the team member’s impartial performance of his or her duties (see audit team bios). Any such objections must be provided in writing to the ATL no later than fifteen (15) days prior to the start of on-site audit work.

The documents in the table below are included in this audit notification. Please note: Certain documents require completion and are required to be returned by their respective due dates shown in the table below.

Document Name/Description

Document Type

Document Name

Location/Folder Name

Audit Scope Informational Appendix A Attached

Page 3: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

3

Contains the standards and requirements related to the compliance audit.

Audit Team Biographies Informational Audit Team Biographies.pdf

FTP2 Site of MRO’s EFT

server

Operations and Planning Reliability Standards

Request for Information (RFI)

Data Requests

Ops Planning Reliability

Standards RFI Spreadsheet.xlsx

FTP2 Site of MRO’s EFT

server

RFI Worksheets Data Requests FTP2 Site of MRO’s EFT

server

CIP Reliability Standards Request for Information

(RFI) Data Requests

CIP Reliability Standards RFI

Spreadsheet.xlsx

FTP2 Site of MRO’s EFT

server

Reliability Standard Audit Worksheets

(RSAWs) Data Requests

FTP2 Site of MRO’s EFT

server

MRO Audit Certification Informational/Attestation MRO Audit Certification

FTP2 Site of MRO’s EFT

server

Internal Compliance Program Questionnaire Data Request

Internal Compliance

Program Questionnaire.docx

FTP2 Site of MRO’s EFT

server

In regard to the evidence request items described above and other data requested by MRO, please note that unless otherwise specified, we request that you provide copies of the original, un-redacted and un-combined copies in Word, Excel, Power Point format (non-PDF) or the “native” format for the requested item(s). Please send all responses and supporting documents back to MRO via the FTP2 site of MRO’s Encrypted EFT site no later than the dates listed below (please note the important dates/deadlines below are subject to change and not inclusive):

Page 4: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

4

Important Dates/Deadlines

Description Date Operations and Planning Reliability Standards Request for Information (RFI)

Item “OP-01”: Delete if not being requested. [ DATE that is 15 calendar days AFTER THIS

LETTER IS SENT TO RE] Items “OP-02” – “OP-17”: LIST SPECIFIC RFI NUMBERS [DATE that is 15 calendar days AFTER this letter

is sent to RE] RFI Worksheets [Date that is 15 calendar days AFTER this letter

is sent to RE] CIP Reliability Standards Request for Information (RFI)

Round 1 Request: Rounds [DATE that is 15 calendar days AFTER this letter is sent to RE]

Round 2 and/or Round 3 Request: Rounds [DATE that is 15 calendar days BEFORE start of

audit] Reliability Standard Audit Worksheets (RSAWs)

[DATE that is 15 calendar days BEFORE start of audit]

MRO Audit Certification [DATE that is 15 calendar days BEFORE START OF AUDIT]

Internal Compliance Program Questionnaire

[DATE that is 15 calendar days BEFORE START OF AUDIT]

In addition to the MRO audit notification packet sent to the designated Primary Compliance Contact, please note that the designated Authorized Officer has received an MRO Audit Certification Letter. The letter explains the objectives of the compliance audit and delegated authority with NERC. Please let us know if you have any questions.

MRO Compliance Office 380 St. Peter Street, Suite 800 St. Paul, MN 55102 Copy: Entity Authorized Officer NERC

Regional Contacts Audit Team

Page 5: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

5

Appendix A - Standards and Requirements included in Audit Scope

Standard(s) Requirement(s)

Title

BAL-001-2 Real Power Balancing Control Performance BAL-002-1 Disturbance Control Performance BAL-003-1.1 Frequency Response and Bias BAL-004-0 Time Error Correction BAL-005-0.2b

Automatic Generation Control

BAL-006-2 Inadvertent Interchange COM-001-3 Communications COM-002-4 Operating Personnel Communications Protocols EOP-001-2.1b Emergency Operations Planning EOP-002-3.1 Capacity and Energy Emergencies EOP-003-2 Load Shedding Plans EOP-004-2 Event Reporting EOP-005-2 System Restoration from Blackstart Resources EOP-006-2 System Restoration Coordination EOP-008-1 Loss of Control Center Functionality EOP-010-1 Geomagnetic Disturbance Operations EOP-011-1 Emergency Plan Development and Coordination FAC-001-1 Facility Connection Requirements FAC-002-2 Coordination of Plans For New Generation,

Transmission, and End-User Facilities FAC-003-4 Transmission Vegetation Management FAC-008-3 Facility Ratings FAC-010-2.1 System Operating Limits Methodology for the

Planning Horizon FAC-011-2 System Operating Limits Methodology for the

Operations Horizon FAC-013-2 Assessment of Transfer Capability for the Near-term

Transmission Planning Horizon FAC-014-2 Establish and Communicate System Operating Limits INT-001-3 Interchange Information INT-003-3 Interchange Transaction Implementation INT-004-2 Dynamic Interchange Transaction Modifications INT-005-3 Interchange Authority Distributes Arranged

Interchange INT-006-3 Response to Interchange Authority INT-007-1 Interchange Confirmation INT-008-3 Interchange Authority Distributes Status INT-009-1 Implementation of Interchange

Page 6: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

6

INT-010-1 Interchange Coordination Exemptions IRO-001-4 Reliability Coordination - Responsibilities and

Authorities IRO-002-2 Reliability Coordination - Facilities IRO-003-2 Reliability Coordination - Wide-Area View IRO-004-2 Reliability Coordination - Operations Planning IRO-005-3.1a Reliability Coordination - Current Day Operations IRO-006-5 Reliability Coordination - Transmission Loading Relief

(TLR) IRO-008-1 Reliability Coordinator Operational Analyses and Real-

time Assessments IRO-009-1 Reliability Coordinator Actions to Operate Within

IROLs IRO-010-1a Reliability Coordinator Data Specification and

Collection IRO-014-1 Procedures, Processes, or Plans to Support

Coordination Between Reliability Coordinators IRO-015-1 Notifications and Information Exchange Between

Reliability Coordinators IRO-016-1 Coordination of Real-time Activities Between

Reliability Coordinators MOD-001-1a Available Transmission System Capability MOD-004-1 Capacity Benefit Margin MOD-008-1 Transmission Reliability Margin Calculation

Methodology MOD-010-0 Steady-State Data for Modeling and Simulation of the

Interconnected Transmission System MOD-012-0 Dynamics Data for Modeling and Simulation of the

Interconnected Transmission System MOD-016-1.1 Documentation of Data Reporting Requirements for

Actual and Forecast Demands, Net energy for Load, and Controllable Demand-Side Management

MOD-017-0.1 Aggregated Actual and Forecast Demands and Net Energy for Load

MOD-018-0 Treatment of Nonmember Demand Data and How Uncertainties are Addressed in the Forecasts of Demand and Net Energy for Load

MOD-019-0.1 Reporting of Interruptible Demands and Direct Control Load Management

MOD-020-0 Providing Interruptible Demands and Direct Control Load Management Data to System Operators and Reliability Coordinators

Page 7: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

7

MOD-021-1 Documentation of the Accounting Methodology for the Effects of Demand-Side Management in Demand and Energy Forecasts

MOD-025-2 Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability

MOD-026-1 Verification of Models and Data for Generator Excitation Control System or Plant Volt/Var Control Functions

MOD-027-1 Verification of Models and Data for Turbine/Governor and Load Control or Active Power/Frequency Control Functions

MOD-028-2 Area Interchange Methodology MOD-029-1a Rated System Path Methodology MOD-030-2 Flowgate Methodology MOD-032-1 Data for Power System Modeling and Analysis NUC-001-3 Nuclear Plant Interface Coordination PER-001-0.2 Operating Personnel Responsibility and Authority PER-003-1 Operating Personnel Credentials PER-004-2 Reliability Coordination - Staffing PER-005-2 System Personnel Training PRC-001-1.1 System Protection Coordination PRC-002-2 Disturbance Monitoring and Reporting Requirements PRC-004-4(i) Analysis and Mitigation of Transmission and

Generation Protection System Misoperations PRC-005-6 Protection System, Automatic Reclosing, and Sudden

Pressure Relaying Maintenance PRC-006-1 Automatic Underfrequency Load Shedding PRC-008-0 Implementation and Documentation of Underfrequency

Load Shedding Equipment Maintenance Program PRC-010-0 Technical Assessment of the Design and Effectiveness

of Undervoltage Load Shedding Program PRC-011-0 Undervoltage Load Shedding System Maintenance and

Testing PRC-015-0 Special Protection System Data and Documentation PRC-016-0.1 Special Protection System Misoperations PRC-017-0 Special Protection System Maintenance and Testing PRC-018-1 Disturbance Monitoring Equipment Installation and

Data Reporting PRC-019-2 Coordination of Generating Unit or Plant Capabilities,

Voltage Regulating Controls, and Protection PRC-021-1 Under-Voltage Load Shedding Program Data PRC-022-1 Under-Voltage Load Shedding Program Performance

Page 8: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

8

PRC-023-4 Transmission Relay Loadability PRC-024-2 Generator Frequency and Voltage Protective Relay

Settings PRC-025-1 Generator Relay Loadability TOP-001-3 Transmission Operations TOP-002-4 Operations Planning TOP-003-3 Planned Outage Coordination TOP-004-2 Transmission Operations TOP-005-2a Operational Reliability Information TOP-006-2 Monitoring System Conditions TOP-007-0 Reporting System Operating Limit (SOL) and

Interconnection Reliability Operating Limit (IROL) Violations

TOP-008-1 Response to Transmission Limit Violations TPL-001-4 Transmission System Planning Performance

Requirements TPL-002-0b System Performance Following Loss of a Single Bulk

Electric System Element (Category B) TPL-003-0b System Performance Following Loss of Two or More

Bulk Electric System Elements (Category C) TPL-004-0a System Performance Following Extreme Events

Resulting in the Loss of Two or More Bulk Electric System Elements (Category D)

TPL-007-1 R1 Transmission System Planned Performance for Geomagnetic Disturbance Events

VAR-001-4.1 Voltage and Reactive Control VAR-002-4 Generator Operation for Maintaining Network Voltage

Schedules CIP-002-5.1a R2 Cyber Security - BES Cyber System Categorization CIP-003-6 R2 Cyber Security - Security Management Controls CIP-004-6 R3,R4,R5 Cyber Security - Personnel & Training CIP-005-5 R1,R2 Cyber Security - Electronic Security Perimeter(s) CIP-006-6 R1,R2,R3 Cyber Security - Physical Security of BES Cyber

Systems CIP-007-6 R1,R2,R3,R4,R5 Cyber Security - Systems Security Management CIP-009-6 R1,R2 Cyber Security – Recovery Plans for BES Cyber

Systems CIP-010-2 R1,R2 Cyber Security - Configuration Change Management

and Vulnerability Assessments CIP-011-2 R1,R2 Cyber Security - Information Protection CIP-014-2 R1 Cyber Security - Physical Security

Page 9: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

Non-Public and Confidential Date AO NAME AO Title Audit Entity ADDRESS AO E-mail Address Subject: Compliance Audit Letter Dear Entity Contact, Authorized Officer: Audit (hereinafter ) is scheduled to receive a Compliance Audit Audit Start Date to Audit End Date. The audit scope includes CIP, Operating, and Planning NERC Reliability Standards and is based on a reliability risk-based assessment conducted by MRO. 34T34T is listed on the NERC Compliance Registry and therefore is considered a bulk power owner, user, or operator in the United States and is subject to compliance audits under the Federal Power Act. As such, 34T34T is responsible for complying with applicable Reliability Standards to maintain and protect the reliability of the bulk power system. MRO will audit the records related to the applicable Reliability Standards. The objective of the compliance audit is to review evidence that provides reasonable assurance of compliance or findings related to the applicable Reliability Standards. At the conclusion of the compliance audit, an exit briefing will be provided to discuss the compliance audit results and the timing of the audit report. The compliance audit is conducted in accordance with the Compliance Monitoring and Enforcement Program (CMEP) and applicable NERC Rules of Procedure approved by the applicable regulator (in the United States, the Federal Energy Regulatory Commission). In order to complete the compliance audit, and to do so efficiently, unrestricted access to applicable documents and individuals within 34T34T is required. MRO will make requests of such information within a reasonable time before the commencement of the compliance audit. Any information considered “Confidential Information” will be treated accordingly under the NERC Rules of Procedure, Section 1500. 34T34T is responsible for making available all applicable records and related information and for the accuracy and completeness of that information. In addition, 34T34T warrants that the information, statements, including questionnaires completed by 34T34T, and records provided in the course of the compliance audit are true and correct as of the date of the compliance audit completion or the final resolution of any possible violation found during the compliance audit.

Page 10: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

If a possible violation is discovered, MRO will discuss the matter with 34T34T in advance and provide the Primary Compliance Contact of 34T34T with a written notice of the possible violation within a reasonable time that shall include the due process protections under the CMEP.

MRO requires certification of certain information that 34T34T provides to MRO in the conduct of a compliance audit. Please sign the certification attached, as the applicable authorized officer of 34T34T, and return the original signed certification to MRO. In addition, MRO will provide your Primary Compliance Contact, under a separate mailing, with other information to assist in the completion of the compliance audit. MRO will advise 34T34T of any additional information required to conduct the compliance audit that requires your certification.

Thank you for your attention to this matter, and please contact me with any questions that you may have.

Respectfully submitted,

Sara E. Patrick Vice President of Compliance Monitoring and Regulatory Affairs

CC: 34T34T Primary Compliance Contact – PCC NAME NERC Audit Team

Page 11: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

C E R T I F I C A T I O N

I, , certify that I am of 34T34T;

that I am authorized to execute this Certification on behalf of 34T34T; that I am familiar with

34T34T’s responses to the compliance notification, requests for information, RSAWs, and other

information included to supplement such responses provided to MRO in connection with the

compliance audit of 34T34T; that, to the best of my information, knowledge and belief, the

statements and supporting documents included in this response and appended to this certification

are true and correct as of the date of signing and will be updated on a continuing basis until final

resolution of the audit.

Signature Name and Title

34T34T Address Address Telephone and Fax e-mail

Date

Page 12: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

1 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 1-1 Request C-001

CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2

R1R2-R5R1-R2

R1R1-R5R1-R2R1-R3

BES Cyber System Categorization

Provide your current Facility Verification form (or any other documentation you already have) updated to identify the following:1) Which BES Assets have High Impact BES Cyber System(s). For each High Impact BES Cyber System, list: a) The name/unique identifier of the BES Cyber System b) The location of the BES Cyber System c) The function/type of operation it performs d) The number of cyber assets that are within it e) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations2) Which BES Assets have Medium Impact BES Cyber System(s). For each Medium Impact BES Cyber System, list: a) The name/unique identifier of the BES Cyber System b) The location of the BES Cyber System c) The function/type of operation it performs d) The number of cyber assets that are within it e) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-002 CIP-006-6 R1 - R3Designated Physical

Security Perimeters (PSPs)

Provide a complete listing of ALL Physical Security Perimeters (PSPs). We request this list to be provided in MS Excel format. Furthermore, for each PSP, we request the Excel spreadsheet include (at a minimum) the following information:- Name or other unique identifier- Physical Location/Address- List of access points at each PSP- Highest Impact Rating for BCA's inside the PSP (High or Medium)

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-003 CIP-004-6 R2-R5Designated storage

locations for BES Cyber System Information

Provide a complete listing of ALL Designated BCS Information Storage Locations. We request this list to be provided in MS Excel format and include (at a minimum) the following information: - Name or other unique identifier - Location (electronic location or physical address) - Whether location is a physical or electronic location

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-004CIP-008-5CIP-003-6

R2-R3R2

Cyber Security Incident Response Plan Tests

Provide a complete listing of tests performed during the audit period of the Cyber Security Incident Response plan as well as any actual cyber security incidents. We request this list to be provided in MS Excel format. Furthermore, for each test of the Cyber Security Incident Response plan and actual Cyber Security Incident, we request the Excel spreadsheet include (at a minimum) the following information: - Date of test - Event type (test or actual incident) - Brief description - Reportable incident? (Y/N) - Indicate whether the test was for a High/Medium facility or low impact asset

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-005 CIP-011-2 R2Reuse or Disposal of BES

Cyber Assets

Provide a complete listing of high/medium BES Cyber Assets that have been released for reuse or disposal. We request this list to be provided in MS Excel format. Furthermore, for each asset, we request the Excel spreadsheet include (at a minimum) the following information:- Asset ID- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Status (Released for Reuse or Disposal)- Date Released (if applicable)- Date Disposed (if applicable)

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-3 Request C-006 CIP-014-2 R1-R6 Substation Review

Please provide a complete listing of all substations that meet the criteria defined in 4.1.1 of the Applicability section in R1, including (at a minimum):- Substation name- Impact Rating (High or Medium)- Criteria met in CIP-014-2 Applicability Section 4.1.1- Whether the substation a jointly owned facility (Y/N)- Compliance owner of the facility (if a jointly owned facility)

Please be aware that for planning purposes a phone interview may be discussed to have this list provided prior to the onsite audit.

Notification Packet

## Notification Date ##Please provide during onsite

portion of audit

- Unless otherwise specified in the request, please provide original, un-redacted and un-combined, copies in MS Word format or the 'native' format for the requested item(s).NOTE: Request #s: "0XX" are Populations requests from Notification Packet; "1XX" are non-population request from Notification Packet;

Instructions:- Please provide your documentation as requested and reference the 'request number' in all communications. Please keep original file names intact. - Please place all documents for a given request into a folder with the request number as its name.- Electronic documentation is required for all data submittals.- For those RFIs that indicate "applies to samples selected" this means that evidence is being requested for only those devices that are included in the sample set. - For those RFIs requesting information for something that is not applicable to the entity, please just indicate that in the response to the RFI

Page 13: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

2 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 1-1 Request C-007 CIP-010-2 R4Transient Cyber Assets

managed by Responsible Entity

Please provide a complete listing of all Transient Cyber Asset(s) (TCAs) managed by the Responsible Entity. We request this list to be provided in MS Excel format. Furthermore, for each TCA, include (at a minimum) the following information:- Transient Cyber Asset ID- Transient Cyber Asset management Type (on-going or on-demand)- Transient Cyber Asset Description- Connection date(s)- Which Plan(s) the TCA is linked to- Cyber Asset connected to

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-008 CIP-010-2 R4Transient Cyber Asset(s) managed by other party

Please provide a complete listing of all Transient Cyber Asset(s) (TCAs) managed by another party. We request this list to be provided in MS Excel format. Furthermore, for each TCA, include (at a minimum) the following information:- Transient Cyber Asset ID- Managing party name- Transient Cyber Asset Description- Access date(s)- Cyber Asset connected to

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-009 CIP-010-2 R4 Removable Media

Please provide a complete listing of all Removable Media that is approved for use. We request this to be provided in MS Excel format. Furthermore, for each piece of removable media, include (at a minimum) the following information:- Removable Media ID- Date(s) of connection- ID of the Cyber Asset to which it was connected- Description of use

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-1 Request C-010 CIP-002-5.1 R1 Assets containing LIBCS

Please provide information showing the following:1) Which BES Assets have Low Impact BES Cyber System(s). For each asset containing a LIBCS, list: a) The name/unique identifier of the asset(s) b) The location of the asset(s) c) The function/type of operation it performs d) Whether there is an electronic access point identified e) Whether there is Dial-up connectivity to the asset(s) f) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations 2) If explicit lists are required by asset, a list of the explicit LIBCS a) The name/unique identifier of the LIBCS b) The location of the LIBCS c) The function/type of operation it performs d) Whether there is an electronic access point identified e) Whether there is Dial-up connectivity to the LIBCS f) All the owners (if jointly owned) along with who is responsible for meeting the associated compliance obligations

Notification Packet

## Notification Date ##

## 15 calendar days after

notification packet sent ##

Round 1-2 Request C-100 CIP-002-5.1 R1BES Cyber System

Categorization

Please provide documentation of the process followed to assign asset impact ratings for BES assets as well as BES Cyber Systems at those facilities. Please include evidence for the current version of each document/list.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-101 CIP-002-5.1 R2Evidence of Review and Approval of BES Cyber

Systems

Please provide evidence demonstrating the review and CIP Senior Manager, or delegate, approval at least once every 15 calendar months of the impact rating identifications in Requirement R1 and its parts (even if it has no identified items from Requirement R1).

Please also provide evidence demonstrating the identification of the CIP Senior Manager, or delegate, that was effective at the time of the approval(s).

Please include evidence for the current version of each document/list.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-102 CIP-003-6 R1 Cyber Security Policy

Please provide documentation comprising the cyber security policies for the high, medium, and low impact BES Cyber Systems. Please include the current version of the policy or policies. Any referenced documents that have not already been provided in response to this or other document requests must also be included.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-103 CIP-003-6 R1Evidence of Cyber Security Policy Annual Review and

Approval

Please provide evidence demonstrating the review and CIP Senior Manager approval of all cyber security policies at least once every 15 calendar months. Please include evidence for the current version of each document.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-104 CIP-003-6 R2Low Impact BES Cyber Systems (LIBCS) cyber

security plan(s)

Please provide the cyber security plan document(s) for low impact BES Cyber Systems.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-105 CIP-003-6 R3Identification of CIP Senior

Manager

Please provide dated evidence supporting the identification of the CIP Senior Manager effective at all times during the compliance monitoring period.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-106 CIP-003-6 R4Delegation of Senior Manager Authority

Please provide evidence supporting the delegation of any CIP Senior Manager's authority to include, name or title of the delegate, specific actions delegated, and the date of the delegations effective at any time during the compliance monitoring period.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Page 14: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

3 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 1-2 Request C-107 CIP-004-6 R1Security Awareness

Program Documentation

Please provide documented process(es) describing the security awareness program.

Please include the current version of any program documentation. Any referenced documents that have not already been provided in response to this or other document requests must also be included.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-108 CIP-004-6 R1.1.1Security Awareness

Program Documentation

Please provide documentation of the quarterly reinforcement materials provided to personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-109 CIP-004-6 R2Cyber Security Training

Program Documentation

Please provide documentation describing the cyber security training program.

Please include the current version of any program documentation. Any referenced documents that have not already been provided in response to this or other document requests must also be included.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-110 CIP-004-6 R2.2.1Cyber Security Training

Materials

Please provide copies of cyber security training materials. Please include the current version of any training materials. Any referenced documents that have not already been provided in response to this or other document requests must also be included.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-111 CIP-004-6 R3Personnel Risk

Assessment Program Documentation

Please provide documentation describing the personnel risk assessment program established to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems. Please include the current version of the documentation.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-112 CIP-004-6 R4Access Management

Program - Authorization Process

Please provide documentation describing the access management program that authorizes electronic access, unescorted physical access into a Physical Security Perimeter, and access to designated storage locations, whether physical or electronic, for BES Cyber System Information. Please include the current version of the documentation.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-113 CIP-004-6 R4.4.2Access Management Program - Quarterly

Verification

Please provide documentation of each calendar quarter review of individuals with active electronic access or unescorted physical access to applicable BES Cyber Systems. Please include the current version and the last three quarterly reviews during the compliance monitoring period.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-114 CIP-004-6 R4.4.3Access Management

Program - Privilege Review

Please provide documentation of verification that user accounts, user account groups, or user role categories, and their specific, associated privileges are correct and are those that the Responsible Entity determines are necessary that are verified every 15 calendar months. Please include the current version of the documentation.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-115 CIP-004-6 R4.4.4

Access Management Program - Privilege Review - BCS Information storage

locations

Please provide documentation that verifies at least once every 15 calendar months that access to the designated storage locations for BES Cyber System Information, whether physical or electronic, are correct and are those that the Responsible Entity determines are necessary for performing assigned work functions.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-116 CIP-004-6 R5 Access Revocation Please provide documentation describing the access revocation program.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-117 CIP-005-5 R1Electronic Security

Perimeter (ESP)

Please provide documented process(es) related to the Electronic Security Perimeters (ESPs). Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-119 CIP-005-5 R2Interactive Remote Access

Management

Please provide documented process(es) related to Interactive Remote Access management.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-120 CIP-006-6 R1 Physical Security PlanPlease provide all documented physical security plans and PSP diagrams.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-121 CIP-006-6 R2 Visitor Control ProgramPlease provide all documented visitor control programs.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-122 CIP-006-6 R3PACS Maintenance and

Testing

Please provide all documented Physical Access Control Systems maintenance and testing programs. Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-123 CIP-007-6 R1Ports andServices

Please provide documented process(es) used to manage ports and services. Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-124 CIP-007-6 R2Security Patch Management

Please provide documented process(es) describing security patch management.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-125 CIP-007-6 R3Malicious Code

Prevention

Please provide documented process(es) describing malicious code prevention.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-126 CIP-007-6 R4 Security Event MonitoringPlease provide documented process(es) describing security event monitoring.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-127 CIP-007-6 R5 System Access ControlsPlease provide documented process(es) used to control system access.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-128 CIP-008-5 R1Cyber Security Incident

Response Plan Specifications

Please provide documented process(es) describing the Cyber Security Incident response plan specifications.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 15: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

4 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 1-2 Request C-129 CIP-008-5 R2

Cyber Security Incident Response Plan

Implementation and Testing

Please provide documented process(es) describing the implementation and testing of Cyber Security Incident response plan(s). Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-130 CIP-008-5 R3

Cyber Security Incident Response Plan Review,

Update, andCommunication

Please provide documented process(es) describing the review, update, and communication of Cyber Security Incident response plan(s). Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-131 CIP-009-6 R1Recovery Plan Specifications

Please provide documented process(es) describing the recovery plan specifications.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-132 CIP-009-6 R2Recovery Plan

Implementation and Testing

Please provide documented process(es) describing the implementation and testing of recovery plan(s). Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-133 CIP-009-6 R3Recovery Plan Review,

Update and Communication

Please provide documented plan(s) describing the review, update, and communication of recovery plan(s). Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-134 CIP-010-2 R1Configuration Change

Management

Please provide documented process(es) describing configuration change management.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-135 CIP-010-2 R2 Configuration MonitoringPlease provide documented process(es) describing configuration monitoring.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-136 CIP-010-2 R3 Vulnerability AssessmentsPlease provide documented process(es) describing vulnerability assessments.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-137 CIP-011-2 R1 Information ProtectionPlease provide documented procedure(s) for identifying, protecting, and securely handling BES Cyber System Information.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-138 CIP-010-2 R4Transient Cyber Assets and Removable Media

plans

Please provide documentation for the documented plan(s) for Transient Cyber Assets and Removable Media that include the sections in CIP-010-2 Attachment 1.

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-139 CIP-011-2 R2BES Cyber Asset Reuse

and Disposal

Please provide documentation describing the BES Cyber Asset Reuse and Disposal processes.Notification

Packet## Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 1-2 Request C-140 CIP-006-6 R1.1.10

Cabling and nonprogrammable

communication components

Please provide evidence of physical access restriction to cabling and other nonprogrammable communication components used for connection between applicable Cyber Assets within the same Electronic Security Perimeter in those instances when such cabling and components are located outside of a Physical Security Perimeter.If no physical access restrictions are implemented, please provide documentation describing:- encryption of data that transits such cabling and components; or- monitoring the status of the communication link composed of such cabling and components that includes system generated evidence of any alarms/alerts received and dated (including time) notification being sent to personnel identified in the BES Cyber Security Incident response plan; or- an equally effective logical protection

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 1-2 Request C-141 CIP-005-5 R1Network Device

Configuration Files

Please provide the raw configuration files for each electronic access point protecting defined ESPs. Additionally, please provide any router and switch raw configurations internal to those ESPs, where available (Managed switches using configuration files - this does not apply to unmanaged switches). Passwords, assymmetric and symmetric keys need to be redacted where applicable. Please do not PDF the files.

Configurations for devices should be obtained using the commands for supported devices at referenced at: http://www.network-perception.com/supported-devices/

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

TFEs C-TFE N/A N/ATechnical Feasibility

Exceptions (TFEs)

For each of the approved TFEs listed below, please provide evidence to support the implementation of the compensating measures and ongoing research towards achieving strict compliance as required:yyyy-MRO-TFE#####-A#

Also, please provide a list of which assets specifically tie to each TFE. Within the list please provide the following:- Asset ID- Manufacturer- Model- Serial #- Associated TFE Number

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Page 16: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

5 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 2 Request C-200

CIP-002-5.1CIP-004-6CIP-005-5CIP-007-6CIP-009-6CIP-010-2

R1R2-R5R1-R2R1-R5R1-R3R1-R3

High Impact BES Cyber Systems (HIBCS)

For each sampled High Impact BES Cyber System provide a complete listing of all BES Cyber Assets (BCAs) within it, including the following details for each BCA:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP Identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Contains an Electronic Access Point (EAP) interface?- Hypervisor/VM host Asset id (if applicable)- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": - C-001 - BES Cyber System Categorization (High)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Round 2 Request C-201

CIP-002-5.1CIP-004-6CIP-005-5CIP-007-6CIP-009-6CIP-010-2

R1R2-R5R1-R2R1-R5R1-R3R1, R3

Medium Impact BES Cyber Systems (MIBCS)

For each sampled Medium Impact BES Cyber System provide a complete listing of all BES Cyber Assets (BCA) within it including identifing the following for each BCA:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Contains an Electronic Access Point (EAP) interface?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Round 2 Request C-202CIP-002-5.1CIP-003-6

R1.1.3R2

Low Impact BES Cyber Systems (LIBCS)

For each sampled asset containing a Low Impact BES Cyber System or explicitly listed LIBCS provide a complete listing of the following:- Electronic Access Point or Dial-up Connectivity Asset id/hostname, if applicable- Device type (Server, Router, Workstation, Switch, etc.)- PSP location- ESP location- Whether device has Dial-up capability

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-010 - Assets containing LIBCS

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Round 2 Request C-203

CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2

R1R2-R5

R1R1

R1-R5R1-R3R1-R3

HIBCS - EACMS

Provide a complete listing of all Electronic Access Control and Monitoring Systems (EACMS) associated with each sampled High Impact BES Cyber System, including the following details for each:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Page 17: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

6 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 2 Request C-204

CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2

R1R2-R5

R1R1

R1-R5R1-R3R1-R3

MIBCS - EACMS

Provide a complete listing of all Electronic Access Control and Monitoring Systems (EACMS) associated with each sampled Medium Impact BES Cyber System, including the following for each:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Contains an Electronic Access Point (EAP) interface?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Serves as an Intermediate System?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Round 2 Request C-205

CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2

R1R2-R5

R1R1

R1-R5R1-R3R1, R3

HIBCS - PACS

Provide a complete listing of all Physical Access Control Systems (PACS) associated with each sampled High Impact BES Cyber System , along with the following for each PACS:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": - C-001 - BES Cyber System Categorization (High)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Page 18: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

7 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 2 Request C-206

CIP-002-5.1CIP-004-6CIP-005-5CIP-006-6CIP-007-6CIP-009-6CIP-010-2

R1R2-R5

R1R1

R1-R5R1-R3R1, R3

MIBCS - PACS

Provide a complete listing of all Physical Access Control Systems (PACS) associated with each sampled Medium Impact BES Cyber System, including the following for each:- Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Round 2 Request C-207

CIP-002-5.1CIP-005-5CIP-007-6CIP-010-2

R1R1-R2R1-R5R1-R3

HIBCS - PCA

Provide a complete listing of all Protected Cyber Assets (PCA) associated with each sampled High Impact BES Cyber System, including the following for each: - Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": - C-001 - BES Cyber System Categorization (High)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Round 2 Request C-208

CIP-002-5.1CIP-005-5CIP-007-6CIP-010-2

R1R1-R2R1-R5R1, R3

MIBCS - PCA

Provide a complete listing of all Protected Cyber Assets (PCA) associated with each sampled Medium Impact BES Cyber System, including the following for each: - Asset id/hostname- Asset Model- Device type (Server, Router, Workstation, Switch, etc.)- Technology Specifications (Windows Version, Linux OS Version, Firmware, etc.)- PSP location- ESP identifier/location- External Routable Connectivity?- Dial Up Connectivity?- Deployment date (Pre-July 1, 2016 or specific date thereafter)?- Hypervisor/VM host Asset id (if applicable)- TFE Number- TFE's associated requirement

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-001 - BES Cyber System Categorization (Medium)

CIP Team## Three weeks after Notification Date ##

## Five weeks after Notification

Date ##

Page 19: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

8 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-300 CIP-004-6 R2-R5 Individuals with BES Cyber

System Access

Provide a complete listing of ALL employees and contractors who are currently authorized for electronic access and/or unescorted physical access to the sampled assets referenced below. We request this list to be provided in MS Excel format. Furthermore, for each individual, we request the Excel spreadsheet include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title- Date when unescorted physical access was authorized if applicable- Date when electronic access was authorized if applicable

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS with External Routable Connectivity)- C-203 - HIBCS-EACMS- C-204 - MIBCS-EACMS (with External Routable Connectivity)- C-205 - HIBCS-PACS- C-206 - MIBCS-PACS (with External Routable Connectivity)

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Round 3 Request C-301 CIP-004-6 R2-R5

Individuals with access to designated storage locations for BCS

Information

Provide a complete listing of ALL employees and contractors who are currently authorized electronic and/or physical access BES Cyber Systems Information Storage locations. We request this list to be provided in MS Excel format. Furthermore, for each individual, we request the Excel spreadsheet include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title- Date when access to storage location(s) was authorized- Impact rating associated with the BCS Information Storage Locations

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-003 - Designated storage locations for BES Cyber System Information

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Round 3 Request C-302 CIP-004-6 R2-R5 Access Revocation

Provide a complete listing of ALL employees and contractors whose Electronic Access, unescorted physical access, and/or access to BES Cyber Systems Information Storage locations was revoked during the audit period. We request this list to be provided in MS Excel format and include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title- Revocation for termination or reassignment/transfer (if appropriate) - BCS(s) where unescorted physical access has been authorized - Date on which physical access was revoked (if appropriate)- BCS(s) where electronic access has been authorized- Date on which electronic access was revoked (if appropriate)- Access to BCS(s) storage location information has been authorized - Date on which electronic storage access was revoked (if appropriate)

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Page 20: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

9 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-303 CIP-010-2 R1BES Cyber System

Baseline Configurations

For each device selected in the sample, please provide the established manual or system generated baseline configuration(s) for each device (generated no more than 30 days prior to the date of this request) for the audit period.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-304 CIP-010-2 R1.1.2-1.1.5BES Cyber System

Changes

For each device selected in the sample, please provide a system generated list of all baseline changes made to the device (generated no more than 30 days prior to the date of this request) for the audit period. If the sample list of changes is null (empty), please provide additional evidence corroborating this fact.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Round 3 Request C-305 CIP-010-2 R2.2.1Configuration Change

Management

For each device in the sample, please provide documentation of the baseline configuration monitoring that occurs at least every 35 calendar days and documentation on any unauthorized changes.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS - EACMS- C-207 - HIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-306 CIP-005-5 R1Electronic Security

Perimeter (ESP)

For each EACMS with an electronic access point interface selected in the sample, please provide complete system-generated evidence, (generated no more than 30 days prior to the date of this request) demonstrating inbound and outbound access permissions to include the reason for granting access to the ESP as well as deny by default configuration.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-203 - HIBCS-EACMS- C-204 - MIBCS - EACMS

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-307 CIP-005-5 R1.1.4Electronic Security

Perimeter (ESP) Dial Up Connectivity

For each device selected in the sample, please provide complete system-generated evidence, e.g. device screenshot, etc. (generated no more than 30 days prior to the date of this request) of the authentication performed to establish dial up connectivity.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (with dial-up connectivity)- C-201 - Medium Impact BES Cyber Systems (with dial-up connectivity)- C-207 - HIBCS-PCA (with dial-up connectivity)- C-208 - MIBCS-PCA (with dial-up connectivity)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-308 CIP-005-5 R1.1.5Electronic Security

Perimeter (ESP) Malicious Communications

For each EACMS with an Electronic Access Point interface selected in the sample, please provide complete system-generated evidence, (generated no more than 30 days prior to the date of this request) on methods used in detecting known or suspected malicious communications for both inbound and outbound communication. If a malicious test file is available for testing automated solutions, please provide system-generated evidence showing the results of using the test file.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-203 - HIBCS-EACMS- C-204 - MIBCS-EACMS (at Control Centers)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 21: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

10 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-309 CIP-005-5 R2.2.2-2.2.3Electronic Security

Perimeter (ESP) Interactive Remote Access

For each device selected in the sample please provide complete system-generated evidence, (generated no more than 30 days prior to the date of this request) on encryption and multi-factor authentication methods used for interactive remote access sessions (including vendor access sessions). Vendor documentation for automated methods as supplemental material is also welcome.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-310 CIP-006-6 R1PSP's Associated with BES

Cyber Systems

For each of the PSP access points selected in the sample, please provide evidence of all physical access controls in place to allow unescorted physical access to only those authorized individuals.

This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-002 - Designated Physical Security Perimeters (PSPs)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-311 CIP-006-6R1.1.4-1.1.5,1.1.8-1.1.9

Physical Security Perimeter Access Point Monitoring and Logging

For each of the PSP access points selected in the sample, please provide evidence of the following:- Logging of authorized access- Monitoring for unauthorized access into the PSP - Alarms or alerts issued for detected unauthorized access, including time of detected unauthorized access and time of alert being sent to personnel identified in the BES Cyber Security Incident response plan- Retention of physical access logs for the past 90 days

This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-002 - Designated Physical Security Perimeters (PSPs)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-312 CIP-006-6 R1.1.6-1.1.7Physical Access Control System Monitoring and

Logging

For each of the PACS devices selected in the sample, please provide evidence of the following:- Monitoring for unauthorized physical access to the Physical Access Control System- Alarms or alerts issued for detected unauthorized access within 15 minutes of detection to the personnel identified in the BES Cyber Security Incident response plan

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-313 CIP-006-6 R2.2.2-2.2.3 Visitor Control Program

For each PSP access point selected in the sample, please provide evidence of the following:- Logging of visitor access- Retention of visitor access logs for the past 90 days

This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-002 - Designated Physical Security Perimeters (PSPs)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-314 CIP-006-6 R3.3.1Maintenance and Testing

Program

For each device selected in the sample, please provide evidence of testing and/or maintenance related to Physical Access Control Systems and locally mounted hardware and devices associated with the access point(s) performed once every 24 months.

This request applies to samples selected from the following population in "## Sample Worksheet Filename ##.":- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-315 CIP-007-6 R1.1.1Ports andServices

For each device selected in the sample, please provide documentation of the ports and services deemed needed by the entity. We request this in MS Excel format, if possible.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 22: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

11 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-316 CIP-007-6 R1.1.1Enabled Ports and

Services

For each device selected in the sample, please provide a system-generated list (this list is to be generated no more than 30 days prior to the date of this request) of all logical enabled ports and services, including date generated and the method by which it was generated. We request this in MS Excel format, if possible.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-317 CIP-007-6 R2.2.1-2.2.4 Security Patch Availability

For each device selected in the sample, please provide the source(s) for cyber security patches. Provide a list of security patches released for each device during the audit period, including the date of the availability from the source(s) as well as the date the patches were assessed. (This list is to be generated no more than 35 days prior to the due date of this request) The expectation is that the list explicitly links each specific patch to each specific device.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Round 3 Request C-318 CIP-011-2 R1.1.1-1.1.2Information Protection -

Secure Handling

Please provide records indicating that BES Cyber System Information is handled in a manner consistent with the entity’s documented procedure(s). Include examples that demonstrate security storage, transit, and use where applicable. Provide information related to each sampled Cyber Asset from the "## Sample Worksheet Filename ##". Provide how this information is protected from vendors, lineman working/configuring relays (if applicable).

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS

CIP Team ## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 3 Request C-319 CIP-007-6 R3.3.1-3.3.3Malicious Code

Prevention

For each device selected in the sample, please provide system-generated evidence (this list is to be generated no more than 30 days prior to the date of this request) demonstrating that malware deterrent, detection or prevention tools are deployed and that threats of detected malicious code are mitigated. If automated software provides a test file, a sample test using the file would be requested.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.": C 200 Hi h I t BES C b S t (HIBCS)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-320 CIP-007-6 R3Signature and Pattern

Updates - Malware Code Prevention

For the devices selected in the sample whose malicious code prevention methods use signatures or patterns, please provide evidence demonstrating the updating and testing of those signatures or patterns.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 23: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

12 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-321 CIP-007-6R4.4.1R4.4.3R5.5.7

Security Event Logs

For each BES Cyber System or at the Cyber Asset selected in the sample, please provide evidence of security event logs of relevant events, referenced in CIP-007 R4.1 (per Cyber Asset or Cyber System capability) or CIP-007 R4.3 (where technically feasible), for the past 90 days.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-322 CIP-007-6 R4.4.2 Security Event Alerts

For each BES Cyber System or at the Cyber Asset selected in the sample, please provide evidence of security alerts as referenced in CIP-007 R4.2 (per Cyber Asset or BES Cyber System capability) during the monitoring period since July 1, 2016. Please provide evidence of incapability of the device to support security alerts, if applicable.

This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-323 CIP-007-6 R4.4.4 Review of Security Events

For each BES Cyber System or at the Cyber Asset selected in the sample, please provide evidence of the review of summarized or sampled logged events for the purpose of identifying undetected Cyber Security Incidents for the previous six months.

This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS - EACMS- C-207 - HIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-324 CIP-007-6 R5.5.1 System Access Controls

For each BES Cyber System or at the Cyber Asset selected in the sample and where technically feasible, please provide system generated evidence that authentication enforcement for interactive user access (both local and remote, if applicable) is in place.

This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at a Control Center or with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at a Control Center or with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at a Control Center or with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (at a Control Center or with ERC)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-325 CIP-007-6R5.5.2R5.5.4

Generic or Default Accounts

For each BES Cyber System or at the Cyber Asset selected in the sample, please provide system generated evidence showing all known enabled generic or default accounts. Ensure to include any domain accounts, if applicable.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 24: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

13 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-326 CIP-007-6 R5.5.3 Shared Account Access

For all enabled shared accounts that exist on each device in the sample, please provide an inventory of all individuals with authorized access to those accounts.We request this list to be provided in MS Excel format and include (at a minimum) the following information:- Employee ID or other unique identifier- Individual’s full name- Individual’s company- Contractor/Employee- Position/job title

This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (with ERC)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (with ERC)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (with ERC)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA (with ERC)

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Round 3 Request C-327 CIP-007-6 R5.5.5-5.5.7Device Password

Restrictions

For each device selected in the sample, please provide system-generated evidence (generated no more than 30 days prior to the date of this request) showing the password requirement settings on each device, including minimum length, complexity requirements, password age (including system-generated dated evidence of when the password was changed for all accounts), and unsuccessful attempts threshold or alerts generated from unsuccessful authentication attempts, where required. If no technical requirements can be provided, please provide evidence of how each device has password requirements handled procedurally.

This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-328 CIP-008-5 R2

Cyber Security Incident Response Plan

Implementation and Testing

For each response plan test selected in the sample, please provide all documentation associated with the test.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-004 - Cyber Security Incident Response Plan Tests

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-329 CIP-008-5 R3.3.1-3.3.2

Cyber Security Incident Response Plan Review,

Update, andCommunication

For each incident response plan test selected in the sample, please provide dated documentation of the following: - Lessons learned or the absence of lessons learned,- Cyber Security Incident response plan updates that occurred as a result of lessons learned (within 90 calendar days of the response plan test or actual incident) or changes to the roles and responsibilities (within 60 calendar days of changes to individuals or technology impacting execution of the plan).- Notification of the incident response plan updates to individuals with a defined role in the Cyber Security Incident response plan.

This request applies to samples selected from the following population, in the file "## Sample Worksheet Filename ##.":- C-004 - Cyber Security Incident Response Plan Tests

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-330 CIP-009-6 R1.1.4Successful Backup

Verification

For each device in the sample, please provide documentation verifying successful completion, within the last 15 calendar months, of the backup processes in Part 1.3 and to address any backup failures.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at Control Centers)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at Control Centers)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at Control Centers)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 25: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

14 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-331 CIP-009-6R2.2.1

R3.3.1-3.3.2Recovery Plan Testing

For each device in the sample, please provide evidence of the annual recovery plan test. A test of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident. Please include any lessons learned and provide the updated plans as well as notifications of the updates made with appropriate dates.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at Control Centers)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at Control Centers)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at Control Centers)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-332 CIP-009-6 R2.2.2BES Cyber System

recovery information testing

For each representative test in the sample, please provide evidence of the annual recovery plan test ensuring that the information used to recover the BES Cyber System functionality is usable and compatible with the current configurations.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (at Control Centers)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS (at Control Centers)- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS (at Control Centers)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-333 CIP-009-6 R2.2.3High Impact BES Cyber System recovery plan

testing

For each device in the sample, please provide evidence of the recovery plan test(s) that were performed through an operational exercise in an environment representative of the production environment during the monitoring period.

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-334 CIP-010-2 R3.3.1 - R3.3.4Periodic Vulnerability

Assessments

Please provide evidence of the 15-month periodic vulnerability assessments (VAs). For each VA, documentation must include the following information:- Date(s) on which the VA for each sampled device (or for the BES Cyber System in which the device resides) was both initiated and completed. Ensure that the evidence for the tests performed includes the following considerations: a. Network port and service identification b. Vulnerability review or scanning c. Wireless review or scanning- Documentation of the results and review of the assessments conducted according to Part 3.1- Documentation of any action plans to remediate or mitigate all vulnerabilities identified in the assessment and the execution status of that action plan

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 26: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

15 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-335 CIP-010-2 R3.3.2 - R3.3.4Periodic Active

Vulnerability Assessments

Please provide evidence of the 36-month periodic active vulnerability assessments (VAs). For each active VA, documentation must include the following information:- Date(s) on which the VA for each sampled device (or for the BES Cyber System in which the device resides) was both initiated and completed. Ensure that the evidence for the test(s) performed includes the following considerations: a. Network port and service identification b. Vulnerability scanning c. Wireless scanning- Any testing and production environment differences including a description of the measures used to account for those differences- Documentation of the results of the assessment and testing conducted according to Parts 3.2 and 3.3- Documentation of any action plans to remediate or mitigate all vulnerabilities identified in the assessment and the execution status of that action plan

This request applies to samples selected from the following populations, in "## Sample Worksheet Filename ##." tabs:- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS-EACMS- C-207 - HIBCS-PCA

NOTE: Part 3.4 evidence for HIBCS PACS and all Medium impact BCS and associated assets is requested in C-334

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-336 CIP-010-2 R3.3.3New Cyber Asset

Vulnerability Assessments

Please provide evidence of the active vulnerability assessments performed on applicable Cyber Assets added to the production environment. For each active VA on newly added assets, documentation must include the following information:- Evidence of the test(s) performed- Documentation of the testing results - Documentation of any action plans to remediate or mitigate all vulnerabilities identified in the assessment and the execution status of that action plan.

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-203 - HIBCS - EACMS- C-207 - HIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-337 CIP-011-2 R2BES Cyber Asset Reuse

and Disposal

For each sampled Cyber Asset that was released for reuse or disposal, please provide the evidence of the actions taken to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset data storage media.

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-005 - Reuse or Disposal of BES Cyber Assets

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-338 CIP-014-2 R4-R5 Substation evaluation

Please provide dated documentation of substation evaluations identified in CIP-014-2 R1 and verified according to CIP-014-2 R2 as well as the physical security plan(s) created based on the evaluation. Include the following:- Date of assessment evaluation- Recommended changes from the assessment review (if applicable)

CIP Team ## Notification Date ##Please provide during onsite

portion of audit

Round 3 Request C-339 CIP-009-6 R1.1.5 Data Preservation

For each device in the sample, please provide documentation showing the cause of a Cyber Security Incident that triggered activation of the recovery plan(s), per Cyber Asset capability.

This request applies to samples selected from the following in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-340 CIP-014-2 R1-R3Substation Risk

Assessment

Please provide dated documentation of an initial risk and subsequent risk assessments of all owned Transmission stations/substations (existing and planned to be in service within 24 months) completed during the monitoring period. Please include the identification of the primary control center, notification(s) to the primary control center, and confirmation of the 3rd party risk assessment and results (including confirmation of 3rd party experience and nondisclosure agreements).

This request applies to samples to be selected during a SME interview to be scheduled by audit team at a future date.

CIP Team ## Notification Date ##Please provide during onsite

portion of audit

Page 27: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

16 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-341 CIP-005-5 R1.1.1-1.1.2 Device Interface Output

For each device in the sample, please provide documentation showing all connection interfaces and the status of those interfaces (where available). Example output could be something similar to 'ipconfig /all' for Windows OS or 'ifconfig -a' for *nix OS. Please indicate information if information is not available for the device.

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-342 CIP-010-2 R4Handling of TCA managed

by Responsible Entity

For each Transient Cyber Asset in the sample, please provide documentation showing the following:- Role or group user authorization- Location authorization- Usage authorization- Handling of software vulnerability mitigation- Handling of malicious code mitigation- Handling of unauthorized use

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##":- C-007 - Transient Cyber Assets managed by Responsible Entity

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-343 CIP-010-2 R4Handling of TCA managed

by other party

For each Transient Cyber Asset in the sample, please provide documentation showing the following:- Handling of software vulnerability mitigation- Handling of malicious code mitigation- If additional mitigations were deemed necessary, information about additional mitigations that were used

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##":- C-008 - Transient Cyber Asset(s) managed by other party

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-344 CIP-010-2 R4Handling of Removable

Media

For each Removable Media in the sample, please provide documentation showing the following:- Role or group user authorization- Location authorization- System generated evidence showing method to detect malicious code on the removable media- If issue found on removable media, how mitigation of malicious code is handled

This request applies to samples selected from the following populations, in the file "## Sample Worksheet Filename ##":- C-009 - Removable Media

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-345 CIP-003-6 R2Cyber Security Awareness

Materials

Please provide the cyber security awareness materials provided to personnel who have access to assets containing low impact BES Cyber Systems. Include the dates of when the materials were provided. CIP Team

## Six weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-346 CIP-003-6 R2Cyber Security Incident

Response for LIBCS

For each incident response plan connected to a LIBCS test selected in the sample, please provide documentation of the following: - Testing of the Cyber Security Incident response plan at least once every 36 calendar months- Updating the Cyber Security Incident response plan (or indication that no updates are needed)

This request applies to LIBCS samples selected from the following population, in the file "## Sample Worksheet Filename ##.":- C-004 - Cyber Security Incident Response Plan Tests

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-347 CIP-003-6 R2Physical and Electronic

Controls for LIBCS

For each asset or LIBCS in the sample, please provide documentation showing the following:- Evidence of the implemented physical security control(s)- Evidence of the implemented electronic access control(s)- Description or diagram of the specific implementation of LEAP for the asset, if applicable- Description or diagram of the Dial-up Connectivity to the asset, if applicable- Inbound and outbound access permissions for each LEAP, if applicable- Documentation of the inbound and outbound access permissions, if applicable- Documentation of the capability or incapability for Dial-up Connectivity authentication, if applicable

This request applies to LIBCS samples selected from the following population, in the file "## Sample Worksheet Filename ##":- C-202 - Low Impact BES Cyber Systems (LIBCS)

CIP Team## Six weeks after

Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 3 Request C-348CIP-002-5.1CIP-014-2

R1R1

Substation onelinesPlease provide Transmission system maps that in the aggregate encompass all substation assets owned by Responsible Entity. CIP Team

## Six weeks after Notification Date ##

Please provide during onsite

portion of audit

Page 28: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

17 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 3 Request C-349 CIP-014-2 R6 Third party evaluation

Please provide dated documentation of third party evaluations for CIP-014-2 R4 assessments and CIP-014-2 R5 plans. Ensure to include:- Third party reviewer credentials- Date of third party reviewer evaluation- Recommended changes from the third party review (if applicable)- Actions from recommend changes from third party review (if applicable)- Acceptance of non-disclosure agreements

CIP Team## Six weeks after

Notification Date ##

Please provide during onsite

portion of audit

Round 3 Request C-350 CIP-005-5 R1-R2 ESP Network Diagrams

Please provide network topology and/or network diagrams for all designated ESPs. Please include relationships between ESPs, if applicable.Documentation should include:- Identification of all Electronic Access Points- Identification of sampled Electronic Access Control and Monitoring Systems- Identification of sampled BES Cyber Systems with Dial-up Connectivity- Identification of all Intermediate Systems for Interactive Remote Access- Identification of devices in the following samples selected from the following populations: a. C-200 - HIBCS b. C-201 - MIBCS c. C-203 - HIBCS-EACMS d. C-204 - MIBCS-EACMS e. C-207 - HIBCS-PCA f. C-208 - MIBCS-PCA

Notification Packet

## Notification Date #### 15 calendar

days prior to audit onsite ##

Round 3 Request C-351 CIP-007-6R5.5.2R5.5.4

Inventory of Generic or Default Accounts

For each BES Cyber System or at the Cyber Asset selected in the sample, please provide the inventory of all known enabled generic or default accounts. Ensure to include any domain accounts, if applicable.

This request applies to samples selected from the following in "## Sample Worksheet Filename ##.":- C-200 - High Impact BES Cyber Systems (HIBCS)- C-201 - Medium Impact BES Cyber Systems (MIBCS)- C-203 - HIBCS - EACMS- C-204 - MIBCS - EACMS- C-205 - HIBCS - PACS- C-206 - MIBCS - PACS- C-207 - HIBCS - PCA- C-208 - MIBCS - PCA

CIP Team## Six weeks after

Notification Date ##

## Eight weeks after Notification

Date ##

Round 4 Request C-400 CIP-004-6 R2 - R4

Cyber Security Training & Personnel Risk

Assessment Program Documentation

For each individual selected in the sample, please provide evidence and complete the spreadsheet columns completely.

This request applies to samples listed in Testing Tab A of the file "XXXX_CIPAudit_Testing Tab A & B.xlsx".

This request applies to samples selected from the following populations:- C-300 - Individuals with BES Cyber System Access- C-301 - Individuals with access to designated storage locations for BCS Information- C-302 - Access Revocation

CIP Team## Nine weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 4 Request C-401 CIP-004-6 R5 Access Revocation

For each individual selected in the sample, please provide evidence and complete the spreadsheet columns completely.

This request applies to samples listed in Testing Tab B of the file "XXXX_CIPAudit_Testing Tab A & B.xlsx".

This request applies to samples selected from the following populations:- C-301 - Individuals with access to designated storage locations for BCS Information- C-302 - Access Revocation

CIP Team## Nine weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 4 Request C-402 CIP-007-6 R5.5.3Shared Account Authorization

For each individual selected in the sample, please provide evidence of shared account access authorization.

This request applies to samples selected from the following populations, in the file "XXX_CIPAudit_SampleSelections.xlsx.":

- C-326 - Shared Account Access

CIP Team## Nine weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 4 Request C-403 CIP-007-6 R5.5.4 Default Password Change

For each sampled default account, please provide evidence that the default password was changed per Cyber Asset capability.

This request applies to samples selected from the following populations, in "XXX_CIPAudit_SampleSelections.xlsx.":

- C-325 - Generic or Default Accounts

CIP Team## Nine weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 29: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

18 of 18

Request # Round Request ID Standard RequirementDocument

Title/DescriptionMRO Comments Requested By Registered Entity Comments Request Date Due Date Status

Round 4 Request C-404 CIP-010-2R1.1.2R1.1.4

Configuration Change Testing

For each baseline configuration change in the sample, please provide documentation of the following:- Evidence of authorization for the change- Cyber security controls in CIP-005 and CIP-007 that could be impacted by the change- Verification that required cyber security controls determined in 1.4.1 are not adversely affected

This request applies to samples selected from the following populations, in the file "XXX_CIPAudit_SampleSelections.xlsx.":- C-304 - BES Cyber System Changes

CIP Team## Nine weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Round 4 Request C-405 CIP-010-2 R1.1.2-1.1.3Baseline Configuration

Updates

For each baseline change in the sample, please provide a dated updated baseline configuration upon completion of the change, which shall include the following items:- Operating system(s) (including version) or firmware where no independent operating system exists;- Any commercially available or open-source application software (including version) intentionally installed;- Any custom software installed;- Any logical network accessible ports; - Any security patches applied;- Any authorized changes that deviate from the existing baseline configuration;- Baseline configuration update date

This request applies to samples selected from the following populations, in the file "XXX_CIPAudit_SampleSelections.xlsx.":- C-304 - BES Cyber System Changes

CIP Team## Nine weeks after Notification Date ##

## 15 calendar days prior to audit

onsite ##

Page 30: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

Operations and Planning - Request for Information

Page 1 of 2 Ops Planning Reliability Standards RFI Spreadsheet.xlsx

Entity:Instructions:- Please provide your documentation as requested and reference the 'request number' in all communications. Please keep original file names intact. - Please place all documents for a given request into a folder with the request number as its name.- Electronic documentation is required for all data submittals.- Unless otherwise specified in the request, please provide original, un-redacted and un-combined, copies in MS Word format or the 'native' format for the requested item(s).NOTE: Request #s: "0X" are requests from Notification Packet; "1XX" are 1st round of sampling and sampling support; "2XX" are second round of sampling support; "3XX" are third round of sampling support; "4XX are fieldwork requests

Request # Std. Req. Description MRO Comments Requested by Registered Entity Comments Request Date Due Date Status

OP-01 FAC-008-3 6 To generate a specific random sample population Please provide a list, in Excel .xlsx format, of all of your BES Facilities and their associated ratings.

Notification Packet ## Notification Date ##

OP-02 PRC-005-634

Sample UFLS population

Please provide a list of feeders with UFLS circuits in MS Excel format. This list should include all UFLS circuits that are installed per the ERO underfrequency load-shedding requirements owned by the entity even if located in another entity's substation. For each feeder with a UFLS circuit, please indicate if it is either distributed or non-distributed.

Notification Packet ## Notification Date ##

OP-03 PRC-005-634

Sample UVLS population

Please provide a list of feeders with UVLS circuits in MS Excel format. This list should include all feeders with UVLS circuits that are installed to prevent system voltage collapse or voltage instability for BES reliability. For each feeder with a UVLS circuit, please indicate if it is either distributed or non-distributed.

Notification Packet ## Notification Date ##

OP-04 PRC-005-634

Description of Remedial Action Scheme(s)Please provide a written description and basic block diagram (including inputs and outputs) of your Remedial Action Scheme(s).

Notification Packet ## Notification Date ##

OP-05 PER-005-2123

Operating Training Program documentation Please provide a copy of your Operator Training Program document(s) Notification Packet ## Notification Date ##

OP-06 PER-005-2 1.33

To generate a specific random sample population

Please provide a list of all personnel performing the reliability-related taks of RC, BA, and TO employed from MM/DD/YYY to the end of the compliance monitoring period. Include all of the positions(s) the Operator qualified for, and identify the date(s) of each qualification.

Notification Packet ## Notification Date ##

OP-07 PER-005-2 1.33

To generate a specific random sample population Provide a list of BES company-specific Real-time reliability-related tasks for your RC, BA, and TOP personnel. Indicate if the task is new or has been modified since MM/DD/YYYY. Also, record the date that any new or modified task became effective.

Notification Packet ## Notification Date ##

OP-08 PRC-023-4 1 Sample population

Please provide a list including all applicable:4.2.1.1 Transmission lines operated at 200 kV and above.4.2.1.2 Transmission lines operated at 100 kV to 200 kV selected by the Planning Coordinator in accordance with R6.4.2.1.3 Transmission lines operated below 100 kV that are part of the BES and selected by the Planning Coordinator in accordance with R6.4.2.1.4 Transformers with low voltage terminals connected at 200 kV and above.4.2.1.5 Transformers with low voltage terminals connected at 100 kV to 200 kV selected by the Planning Coordinator in accordance with R6.4.2.1.6 Transformers with low voltage terminals connected below 100 kV that are part of the BES and selected by the Planning Coordinator in accordance with R6We request these list(s) to be provided in MS Excel format. Furthermore, for each facility, we request the MS Excel spreadsheet include (at a minimum) the following information: the facility’s name and rated voltage(s).

Notification Packet ## Notification Date ##

OP-18 PER-005-2 2 Sample population Please complete and return spreadsheet RFI OP-18 PER-005-2.xlsx. Notification Packet ## Notification Date ##

OP-19 PER-005-2 4 Sample population Please complete and return spreadsheet RFI OP-19 PER-005-2.xlsx. Notification Packet ## Notification Date ##

OP-20 PER-005-2 5 Sample population

1.Provide a list your operations support personnel employed from DD/MM/YYYY2. List the training developed for your operations support personnel, and the required periodicity of the training as established by your systematic approach.3. Return the above information to MRO

Notification Packet ## Notification Date ##

OP-21 PER-005-2 6 Sample population Please complete and return spreadsheet RFI OP-21 PER-005-2.xlsx. Notification Packet ## Notification Date ##

OP-100 FAC-008-3 6

Enter Entity Name Here

Page 31: Audit Notification Letter - Midwest Reliability Organizations Audit... · 1 . Delivery Method: Via E-mail and the FTP2 site of MRO’s EFT Server Confidential and Non-Public Audit

Operations and Planning - Request for Information

Page 2 of 2 Ops Planning Reliability Standards RFI Spreadsheet.xlsx

Request # Std. Req. Description MRO Comments Requested by Registered Entity Comments Request Date Due Date Status

OP-101 PRC-005-634

Sample population

Please use file OP-101 PRC-005.xlsx to list all BES protection system equipment for the facilities identified within this file. Include all applicable facilities as identified in Section 4.2 of the Standard. Also for RAS, include equipment for the redundant portion. Equipment may include relays, input sensing devices, communications, DC Control Circuitry, and station dc supply.

OP-102 PRC-005-634

Sample UFLS_UVLS populations

Please use file OP-102 PRC-005.xlsx to list all BES protection system equipment for the feeders identified within this file. Include all applicable facilities as identified in Section 4.2 of the Standard. Equipment is to include UFLS and UVLS relays , input sensing devices, DC Control Circuitry, and station dc supply.

OP-103 PER-005-2 2OP-104 PER-005-2 1OP-105 PER-005-2 3OP-106 PER-005-2 2.1

OP-200 FAC-008-3 6

OP-201 PRC-005-634

Maintenance and testing records Please follow instructions in RFI OP-201_PRC-005_TO_GO_RAS.xlsx

OP-202 PRC-005-634

Maintenance and testing records Please follow instructions in RFI OP-202_PRC-005_UFLS_UVLS.xlsx

ADD OP-210