cipc control systems security working group...1. communication and data flow documentation should...
TRANSCRIPT
CIPC Control Systems Security Working Group Mapping of NIST Cybersecurity Framework to NERC CIP v3/v5 November 2014 Executive Summary The NIST Cybersecurity Framework (CSF) and the NERC Critical Infrastructure Protection (CIP) standards contain sets of controls and control objectives that have a great many similarities, and a fair number of differences. Mapping the two at a high level is a fairly straightforward exercise, but presents some challenges at the detailed control-level. The attached spreadsheets attempt to inform and give guidance to electricity subsector cyber-security practictioners attempting to create a holistic cybersecurity program for Bulk Electric System Cyber Systems (BCS) that meets the specific controls within the CIP standards, and the control objectives of the NIST CSF. Background In April 2014, the Control Systems Security Working Group (CSSWG) was approached by the Electricity Sub-sector Coordinating Council (ESCC) to form a cross-functional team to map the NIST cybersecurity framework to the CIP standards, both versions 3 and version 5. The individuals listed below volunteered to undertake this effort. The mappings were developed based on the expertise of the project team, but also heavily borrowed from other efforts. For instance, the NIST framework has been mapped to the Electric Sector Cybersecurity Capability Maturity Model (ES-C2M2), and to other standards such as NIST SP 800-53, both of which have been mapped back to NERC CIP by others. In many cases the team “hopped” from one set of mappings to another to gain insight into the controls of both frameworks in order to establish the final product. Using the mapping document The NIST CSF categories and sub-categories are not specifically referred to as “controls” but are instead written in the form of control objectives, giving the entity the latitude to develop their own controls and processes to meet the objective. The NERC CIP standards, on the other hand, carry regulatory weight and are be written in such a way as to be auditable in a consistent fashion. Accordingly, the CIP requirements are written more like controls (e.g. “the responsible entity shall implement…”). These characteristics, while providing for a challenging mapping exercise, lend themselves pretty well to a dual framework implementation for NERC cyber assets. By using the NERC CIP controls to satisfy NIST CSF control objectives, compliance with both frameworks can be achieved – and potentially without a great deal of additional effort beyond documentation.
Mapping of NIST Cybersecurity Framework to NERC CIP v3/v5 2
Using the mapping document (cont’d)
In the example above, the control objective is NIST PR.AC-5 “Network integrity is protected…”. The entity can meet this control object by adjusting two policy controls (CIP-003-5 R1 - 1.2 and CIP-003-5 R1 - 1.8) and two technical controls (CIP-005-5 R1 and CIP-007-5 R1) to meet the desired control objective. Exact mappings Due to the writing styles and varying levels of specificity between the two control frameworks, there are relatively few exact mappings – e.g. one NIST CSF sub-category mapped exactly to one NERC CIP requirement. Instead, most NIST CSF sub-categories are mapped to multiple NERC CIP requirements, as in the example above. Missed mappings Because the NIST CSF contains control objectives, the project team was able to think creatively and provide mappings that broadly meet the stated goal. There were, however, specific areas of the CSF that are simply not covered in the NERC CIP standards no matter how broadly you interpret them. Examples can be found in the Business Environment (BE) section (supply chain, organization’s mission, etc), Governance (GV), Risk Management Strategy (RM), and others. In cases where no meaningful mapping could be established, the project team provides some guidance in column ‘H’ on the spreadsheet, titled ‘Guidance for combined NERC CIP & NIST CSF’.
Mapping of NIST Cybersecurity Framework to NERC CIP v3/v5 3
Control-level guidance As an artifact of the drafting process, the project team documented some simple guidance as notations to help rationalize the individual and grouped mappings. The team elected to retain this language to help provide context to the mappings, and perhaps assist the entity with tips on how to modify their CIP program to accommodate the CSF control objectives. They are not meant to be overly prescriptive, but used as a thought exercise when considering both frameworks acting together as a single program. Inclusion of the ES-C2M2 The spreadsheet contains an additional mapping of the ES-C2M2 objectives and practices, as mapped to the NIST CSF sub-categories. As an supplementary exercise, the entity may wish to undertake an assessment of currently practices (ex: MIL 1) against the desired maturity level as informed by the organization’s risk management practice. Marc A. Child (Project Lead) Nadya Bartol Cliff Glantz Great River Energy Utilities Telecom Council Pacific Northwest National Lab Jarrid Hall Christine Hasha Cynthia Hill-Watson CSGI ERCOT Tennessee Valley Authority Beth Lemke Mark Morgan Bill Noto Wisconsin Public Service Pacific Northwest National Lab GE Power & Water
MIL 1 MIL 2 MIL 3
CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
1. Ensure inventory includes assets in all security zones
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policy language should address inventory and asset management
ID.AM-2: Software platforms and applications
within the organization are inventoried
ACM-1b ACM-1c ACM-1e
ACM-1f
CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
1. Ensure inventory includes assets in all security zones
CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
1. Communication and data flow documentation should include any communication and data flows
between BES Cyber Systems and other systems such as business systems, physical security systems,
etc.
Asset Management (AM): The data, personnel,
devices, systems, and facilities that enable the
organization to achieve business purposes are
identified and managed consistent with their relative
importance to business objectives and the
organization’s risk strategy.
RM-2g ACM-1e
NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
ID.AM-1: Physical devices and systems within
the organization are inventoried
ACM-1a ACM-1c ACM-1e
ACM-1f
ID.AM-3: Organizational communication and
data flows are mapped
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Ensure organizational policies include a reference to the CIP Senior Manager's role in approving
cybersecurity policies for NERC CIP systems.
CIP-003-3 R4: Information Protection — The Responsible Entity
shall implement and document a program to identify, classify, and
protect information associated with Critical Cyber Assets.
1. Diagrams for CIP-005-5 should include data flows in addition to logical & physical connectivity
2. Data flows should be classified according to the sensitivity of the information
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
1. Diagrams for CIP-005-5 should include data flows in addition to logical & physical connectivity
2. Data flows should be classified according to the sensitivity of the information
CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
1. Perform zone-level inventories regularly and compare with previous iterations
2. Results are reviewed by a person with authority to approve
ID.AM-4: External information systems are
catalogued
EDM-1a EDM-1c
EDM-1e
EDM-1g
RM-1c
Page 1 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policy language should address inventory and asset management
2. Policy language should address criteria for connecting external information systems
3. Information systems should be considered 'external' if they interconnect across security zones
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. Ensure documentation include a reason for each inbound/outbound access flow
2. Ensure inventory includes assets in all security zones
3. Establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which perform
BES reliability operating services (BROS) and evaluate the potential for adverse impact that the loss,
compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).
CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
1. Ensure inventory includes assets in all security zones
2. Establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which perform
BES reliability operating services (BROS) and evaluate the potential for adverse impact that the loss,
compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policy language should address inventory and asset management
2. Inventories should include classification, criticality, and business value
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. Ensure inventory includes assets in all security zones
2. Ensure CIP-005-5 diagrams are coded to highlight classification, criticality, and business value for
each BES Cyber System
CIP-009-3 R1.1: Specify the required actions in response to events
or conditions of varying duration and severity that would activate the
recovery plan(s).
1. Recovery plans should be priorities based on classification, criticality, and business value
ID.AM-5: Resources (e.g., hardware, devices,
data, and software) are prioritized based on
their classification, criticality, and business
value
ACM-1a
ACM-1b
ACM-1c
ACM-1d
recovery plan(s).
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Ensure policy includes cybersecurity roles and responsibilities for the entire workforce, including third-
party stakeholders
CIP-003-3 R2.3: Where allowed by Standards CIP-002-3 through
CIP-009-3, the senior manager may delegate authority for specific
actions to a named delegate or delegates. These delegations shall
be documented in the same manner as R2.1 and R2.2, and
approved by the senior manager.
1. Clearly define the responsibilities of the person or department responsible for cybersecurity issues
related to third-party stakeholders
CIP-003-3 R2: Leadership — The Responsible Entity shall assign a
single senior manager with overall responsibility and authority for
leading and managing the entity’s implementation of, and adherence
to, Standards CIP-002-3 through CIP-009-3.
1. Clearly define the boundaries of the responsibilities of the CIP Senior Manager
CIP-007-3 R5.1: The Responsible Entity shall ensure that individual
and shared system accounts and authorized access permissions are
consistent with the concept of “need to know” with respect to work
functions performed.
1. Ensure cybersecurity provisioning procedures include handling of third-party access requests
2. Ensure cybersecurity staff are trained on access management procedures and policies related to third-
party access requests
ID.BE-1: The organization’s role in the supply
chain is identified and communicated
EDM-1b EDM-1d EDM-1f
EDM-1g
RM-1c
1. Clearly define the responsibilities of the person or department responsible for cybersecurity issues
related to third-party stakeholders
ID.BE-2: The organization’s place in critical
infrastructure and its industry sector is identified
and communicated
EDM-1b EDM-1d
CPM-1c
EDM-1f
EDM-1g
RM-1c
1. Opportunities to communicate the organizations place in critical infrastructure include: security
awareness, annual cybersecurity training, and organizational policies
Business Environment (BE): The organization’s
mission, objectives, stakeholders, and activities are
understood and prioritized; this information is used to
inform cybersecurity roles, responsibilities, and risk
management decisions.
ID.AM-6: Cybersecurity roles and
responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers,
customers, partners) are established
WM-1a
WM-1b
WM-1c
Page 2 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
ID.BE-3: Priorities for organizational mission,
objectives, and activities are established and
communicated
RM-3b RM-1c 1. Opportunities to communicate the organizations mission, objectives, and activities include: security
awareness, annual cybersecurity training, and organizational policies
ID.BE-4: Dependencies and critical functions
for delivery of critical services are established
ACM-1a
ACM-1b
EDM-1a
ACM-1c
ACM-1d
EDM-1c
EDM-1e
ACM-1e
ACM-1f
RM-1c
EDM-1g
CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
1. Ensure identification of cyber assets, electronic access points, and data flows that facilitate delivery of
critical services that are supported by networks other than those subject to NERC CIP
ID.BE-5: Resilience requirements to support
delivery of critical services are established
IR-4a
IR-4b
IR-4c
IR-4e CIP-009-3 R1: Recovery Plans — The Responsible Entity shall
create and annually review recovery plan(s) for Critical Cyber
Assets. The recovery plan(s) shall address at a minimum the
following:
1. Ensure identification of cyber assets, electronic access points, and data flows that facilitate delivery of
critical services that are supported by networks other than those subject to NERC CIP
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Establish an organization information security policy
CIP-004-3 R1: Awareness — The Responsible Entity shall establish,
document, implement, and maintain a security awareness program
to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going
reinforcement in sound security practices. The program shall include
security awareness reinforcement on at least a quarterly basis using
mechanisms such as:
�
Direct communications (e.g., emails, memos, computer based
training, etc.);
�
1. Ensure employees and third-parties are made aware of the organizational security policy
IDENTIFY
(ID)
Governance (GV): The policies, procedures, and
processes to manage and monitor the organization’s
regulatory, legal, risk, environmental, and operational
requirements are understood and inform the
management of cybersecurity risk.
ID.GV-1: Organizational information security
policy is established
RM-1a CPM-2g CPM-5d
RM-3e
Indirect communications (e.g., posters, intranet, brochures, etc.);
�
Management support and reinforcement (e.g., presentations,
meetings, etc.).
CIP-004-3 R3: Personnel Risk Assessment —The Responsible Entity
shall have a documented personnel risk assessment program, in
accordance with federal, state, provincial, and local laws, and
subject to existing collective bargaining unit agreements, for
personnel having authorized cyber or authorized unescorted physical
access to Critical Cyber Assets. A personnel risk assessment shall
be conducted pursuant to that program prior to such personnel being
granted such access except in specified circumstances such as an
emergency.
1. Ensure employees and third-parties are provided annual training on the contents of the organizational
security policy
CIP-003-3 R2.3: Where allowed by Standards CIP-002-3 through
CIP-009-3, the senior manager may delegate authority for specific
actions to a named delegate or delegates. These delegations shall
be documented in the same manner as R2.1 and R2.2, and
approved by the senior manager.
1. Ensure that information security roles and responsibilities for BES Cyber systems are consistent and
compatible with the information security roles and responsibilties for other enterprise systems (e.g., IT or
physical security).
CIP-003-3 R2: Leadership — The Responsible Entity shall assign a
single senior manager with overall responsibility and authority for
leading and managing the entity’s implementation of, and adherence
to, Standards CIP-002-3 through CIP-009-3.
1. Develop a clear policy "line of sight" extending from the Board level down to the end user
2. Establish clear responsibilities both inside and outside the NERC cyber security program
ID.GV-3: Legal and regulatory requirements
regarding cybersecurity, including privacy and
civil liberties obligations, are understood and
managed
CPM-2k
IR-3n
RM-3f
ACM-4f
IAM-3f
TVM-3f
SA-4f
ISC-2f
IR-5f
EDM-3f
WM-5f
1. Enhance cybersecurity training and awareness program by including content on the NERC ERO
model, and the NIST Cybersecurity Framework and any related regulatory frameworks.
ID.GV-2: Information security roles &
responsibilities are coordinated and aligned
with internal roles and external partners
WM-1a
WM-1b
WM-1c
WM-5b
ISC-2b
WM-1f
WM-1g
Page 3 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
ID.GV-4: Governance and risk management
processes address cybersecurity risks
RM-2a
RM-2b
RM-3b RM-2h
RM-3e
RM-1c
RM-1e
1. Where CIP version 5 has moved from a risk-based to a bright-line based approach to identifying in-
scope assets, organizations should focus on integrating their methodology with their enterprise risk-
management frameworks.
2. Additional cyber systems should be identified and protected based on their risk to the business or risk
to the reliability of the bulk electric system
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies for vulnerability management should be established
CIP-007-3 R3: Security Patch Management — The Responsible
Entity, either separately or as a component of the documented
configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
1. Security Patch Management should be established
2. Adherence to Security Patch Management practices should be measured as part of the vulnerability
assessment processes
3. Missing security patches should be compared to the documented mitigation plans
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Asset vulnerabilities are identified and documented
CIP-007-3 R3: Security Patch Management — The Responsible
Entity, either separately or as a component of the documented
configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
1. Ensure you are getting information from sources such as ICS CERT, ES ISAC, US CERT, relevant
vendor forums, and other applicable information sharing forums and sources.
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Enhance the vulnerability assessment processes by inclusion of a threat management practice that
can be executed quickly in reaction to a threat (zero-day attack targeting BASH, for instance)
Risk Assessment (RA): The organization understands
the cybersecurity risk to organizational operations
(including mission, functions, image, or reputation),
organizational assets, and individuals.
ID.RA-1: Asset vulnerabilities are identified and
documented
TVM-2a
TVM-2b
TVM-2c
TVM-2d
TVM-2e
TVM-2f
RM-1c
RM-2j
TVM-2i
TVM-2j
TVM-2k
TVM-2l
TVM-2m
ID.RA-2: Threat and vulnerability information is
received from information sharing forums and
sources
TVM-1a
TVM-1b
TVM-2a
TVM-2b
vulnerability assessment shall include, at a minimum, the following:
ID.RA-3: Threats, both internal and external,
are identified and documented
TVM-1a
TVM-1b
TVM-1d
TVM-1e
TVM-1f
RM-1c
RM-2j
TVM-1i
TVM-1j
CIP-007-3 R6.3: The Responsible Entity shall maintain logs of
system events related to cyber security, where technically feasible,
to support incident response as required in Standard CIP-008-3.
1. Enhance the threat management practice by implementing procedures to:
- modify logging levels in reaction to high-impact threat
- obtain signatures of known attacks and search your environment for matches
- perform vulnerability scans against test or standby systems whose configuration matches production
systems
- establish multi-tier response guidelines such that security events are researched more quickly under
higher threat levels
ID.RA-4: Potential business impacts and
likelihoods are identified
TVM-1d
TVM-1f
TVM-1i CIP-002-3 R3: Critical Cyber Asset Identification — Using the list of
Critical Assets developed pursuant to Requirement R2, the
Responsible Entity shall develop a list of associated Critical Cyber
Assets essential to the operation of the Critical Asset. Examples at
control centers and backup control centers include systems and
facilities at master and remote sites that provide monitoring and
control, automatic generation control, real-time power system
modeling, and real-time interutility data exchange. The Responsible
Entity shall review this list at least annually, and update it as
necessary. For the purpose of Standard CIP-002-3, Critical Cyber
Assets are further qualified to be those having at least one of the
following characteristics:
1. Where CIP version 5 has moved from a risk-based to a bright-line based approach to identifying in-
scope assets, organizations should focus on integrating their methodology with their enterprise risk-
management frameworks.
2. Additional cyber systems should be identified and protected based on their risk to the business or risk
to the reliability of the bulk electric system
CIP-007-3 R3: Security Patch Management — The Responsible
Entity, either separately or as a component of the documented
configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
1. Enhance patch mitigation plans by documenting impacts and business risk
2. Business risk can be informative for scheduling patch deployments and mitigation plans
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Enhance vulnerability assessment processes by documenting potential impacts and business risk
2. Business risk can be informative for scheduling vulnerability assessment findings and mitigation plans
ID.RA-5: Threats, vulnerabilities, likelihoods,
and impacts are used to determine risk
RM-1c
RM-2j
TVM-1i
TVM-2l
TVM-2m
Page 4 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-007-3 R3: Security Patch Management — The Responsible
Entity, either separately or as a component of the documented
configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
1. Business risk can be informative for scheduling patch deployments and mitigation plans
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Business risk can be informative for scheduling vulnerability assessment findings and mitigation plans
CIP-008-3 R1.2: Response actions, including roles and
responsibilities of Cyber Security Incident response teams, Cyber
Security Incident handling procedures, and communication plans.
1. Business risk can be informative for developing prioritized incident response plans
ID.RM-1: Risk management processes are
established, managed, and agreed to by
organizational stakeholders
RM-2a
RM-2b
RM-1a
RM-1b
RM-2c
RM-2d
RM-2e
RM-2f
RM-2g
RM-3a
RM-3b
RM-3c
RM-3d
RM-1c
RM-1d
RM-1e
RM-2h
RM-2i
RM-2j
RM-3e
RM-3f
RM-3g
RM-3h
RM-3i
1. Enterprise risk management practices should include risks associated with BES Cyber Systems, to
include what is unique about these systems as well as what makes them similar to other enterprise
information systems.
ID.RM-2: Organizational risk tolerance is
determined and clearly expressed
RM-1c
RM-1e
1. Risks should be assigned to business process owners who have the authority to effect change,
mitigate, or accept risk.
ID.RM-3: The organization’s determination of
risk tolerance is informed by their role in critical
infrastructure and sector specific risk analysis
RM-1b RM-1c 1. Business process owners who manage risks associated with BES Cyber Systems should be educated
in their responsibilities as a critical infrastructure custodian.
Risk Management Strategy (RM): The organization’s
priorities, constraints, risk tolerances, and assumptions
are established and used to support operational risk
decisions.
ID.RA-6: Risk responses are identified and
prioritized
RM-2e RM-1c
RM-2j
TVM-1i
TVM-2l
IR-3m
IR-4d
IR-4e
infrastructure and sector specific risk analysis
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Access control rules for logical system access should be clearly stated in an organizational policy with
a goal to protect systems from unauthorized access. The policy should address the granting,
modification, removal, and review of access permissions. The policy should establish the requirements
for the use of "principle of least privilege" or "need to know". The access control policy should be
periodically reviewed and approved by an appropriate member of senior management.
2. Policies should include requirements for granting access only when background check and training
requirements are met
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. A formal procedure or process should be defined for revoking logical system access and shared
account access. The procedure or process should ensure that the triggering events (e.g.: termination,
promotion, job transfer) for access revocation are clearly stated and how those events are incorporated
into access revocation processes. This can be accomplished through a written procedure or documented
workflow.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. A formal procedure or process should be defined for managing logical system access. The procedure
or process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. There should be a formal procedure or process for managing system access controls to protect
systems from unauthorized access. The procedure or process should define: (1) the use of authentication
methods; (2) management of default accounts provided by vendors and accounts shared by multiple
people; (3) management of all entity-defined accounts shared by multiple people, including generic,
service, and administrator accounts; (4) implementation of password requirements, including complexity
and periodic changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Access control rules for physical access should be clearly stated in an organizational policy with a goal
to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to use". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. There should be a formal procedure or process for revoking physical access information access. The
procedure or process should ensure that the triggering events (e.g.: termination, promotion, job transfer)
for access revocation are clearly stated and how those events are incorporated into access revocation
processes. This can be accomplished through a written procedure or documented workflow.
Access Control (AC): Access to assets and associated
facilities is limited to authorized users, processes, or
devices, and to authorized activities and transactions.
PR.AC-1: Identities and credentials are
managed for authorized devices and users
IAM-1a
IAM-1b
IAM-1c
IAM-1d
IAM-1e
IAM-1f
RM-1c
IAM-1g
PR.AC-2: Physical access to assets is
managed and protected
IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
Page 5 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-006-3 R1.6: A visitor control program for visitors (personnel
without authorized unescorted access to a Physical Security
Perimeter), containing at a minimum the following:
1. There should be a formal procedure or process for managing visitors to premises. The procedure or
process should define: (1) logging of entry and exit; (2) continuous escort and supervision of visitors.
CIP-006-3 R1: Physical Security Plan — The Responsible Entity
shall document, implement, and maintain a physical security plan,
approved by the senior manager or delegate(s) that shall address, at
a minimum, the following:
1. There should be a formal procedure or process for managing physical access controls to protect
systems from unauthorized access. The procedure or process should define: (1) the use of access
control mechanisms; (2) logging of entry and exit; (3) monitoring of physical premises; and (4) alerting on
unauthorized access.
CIP-006-3 R4: Physical Access Controls — The Responsible Entity
shall document and implement the operational and procedural
controls to manage physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a
week. The Responsible Entity shall implement one or more of the
following physical access methods:
�
Card Key: A means of electronic access where the access rights of
the card holder are predefined in a computer database. Access
rights may differ from one perimeter to another.
�
Special Locks: These include, but are not limited to, locks with
“restricted key” systems, magnetic locks that can be operated
remotely, and “man-trap” systems.
�
Security Personnel: Personnel responsible for controlling physical
access who may reside on-site or at a monitoring station.
�
Other Authentication Devices: Biometric, keypad, token, or other
equivalent devices that control physical access to the Critical Cyber
Assets.
1. A formal procedure or process should be defined for managing physical access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Access control rules for remote access should be clearly stated in an organizational policy with a goal
to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to use". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
1. There should be a formal procedure or process for revoking physical access information access. The
procedure or process should ensure that the triggering events (e.g.: termination, promotion, job transfer)
PR.AC-3: Remote access is managed IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
procedure or process should ensure that the triggering events (e.g.: termination, promotion, job transfer)
for access revocation are clearly stated and how those events are incorporated into access revocation
processes. This can be accomplished through a written procedure or documented workflow.
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. There should be formal procedure or process to monitor and control dialup remote access to the
information system which requires the use of authentication.
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
1. There should be formal procedure or process to monitor and control all methods of remote access
(e.g., VPN, Citrix) to the information system. Remote access should only be allowed through managed
access control points that do not allow direct access to protected assets. Encryption should be to protect
the confidentiality of remote access sessions. Multi-factor authentication should be used for all remote
access sessions.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. A formal procedure or process should be defined for managing remote access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Access control rules for logical system access should be clearly stated in an organizational policy with
a goal to protect systems from unauthorized access. The policy should address the granting,
modification, removal, and review of access permissions. The policy should establish the requirements
for the use of "principle of least privilege" or "need to know". The access control policy should be
periodically reviewed and approved by an appropriate member of senior management.
2. Policies should contain requirements for management of system-level credentials.
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. There should be a formal procedure or process for managing system access controls to protect
systems from unauthorized access. The procedure or process should define: (1) the use of authentication
methods; (2) management of default accounts provided by vendors and accounts shared by multiple
people; (3) management of all entity-defined accounts shared by multiple people, including generic,
service, and administrator accounts; (4) implementation of password requirements, including complexity
and periodic changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.
CIP-007-3 R5.1: The Responsible Entity shall ensure that individual
and shared system accounts and authorized access permissions are
consistent with the concept of “need to know” with respect to work
functions performed.
1. A formal procedure or process should be defined for managing logical system access. The procedure
or process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
PR.AC-4: Access permissions are managed,
incorporating the principles of least privilege
and separation of duties
IAM-2d
Page 6 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. There should be a formal procedure or process for managing system access controls to protect
systems from unauthorized access. The procedure or process should define: (1) the use of authentication
methods; (2) management of default accounts provided by vendors and accounts shared by multiple
people; (3) management of all entity-defined accounts shared by multiple people, including generic,
service, and administrator accounts; (4) implementation of password requirements, including complexity
and periodic changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts. The
procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Access control rules for logical system access should be clearly stated in an organizational policy with
a goal to protect systems from unauthorized access. The policy should address the restriction of access
to the network layer. This can be accomplished through network segmentation and network access
controls.
2. Policies should contain requirements for information protection within, and between, the various
network security zones.
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. There should be formal procedures and processes to implement security zones separating protected
assets from other organizational networks and public networks. Monitoring of communications at the
network boundary should be implemented. Connection to protected assets should only be through
managed interfaces consisting of boundary protection devices arranged in accordance with an
organizational documented security architecture.
CIP-007-3 R2: Ports and Services — The Responsible Entity shall
establish, document and implement a process to ensure that only
those ports and services required for normal and emergency
operations are enabled.
1. There should be formal procedures and processes to manage and secure network accessible ports as
well as physical I/O ports in operation on an asset. This includes monitoring and documenting the status
and use of discovered ports.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for user training and security awareness.
CIP-004-3 R1: Awareness — The Responsible Entity shall establish,
document, implement, and maintain a security awareness program
to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going
reinforcement in sound security practices. The program shall include
security awareness reinforcement on at least a quarterly basis using
mechanisms such as:
�
Direct communications (e.g., emails, memos, computer based
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
Awareness and Training (AT): The organization’s
personnel and partners are provided cybersecurity
awareness education and are adequately trained to
perform their information security-related duties and
responsibilities consistent with related policies,
procedures, and agreements.
PR.AC-5: Network integrity is protected,
incorporating network segregation where
appropriate
CPM-3a CPM-3b
CPM-3c
CPM-3d
PR.AT-1: All users are informed and trained WM-3a WM-3b
WM-3c
WM-3d
WM-3e
WM-3f
WM-3g
WM-3h
WM-3i
Direct communications (e.g., emails, memos, computer based
training, etc.);
�
Indirect communications (e.g., posters, intranet, brochures, etc.);
�
Management support and reinforcement (e.g., presentations,
meetings, etc.).
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for user training and security awareness.
CIP-004-3 R1: Awareness — The Responsible Entity shall establish,
document, implement, and maintain a security awareness program
to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going
reinforcement in sound security practices. The program shall include
security awareness reinforcement on at least a quarterly basis using
mechanisms such as:
�
Direct communications (e.g., emails, memos, computer based
training, etc.);
�
Indirect communications (e.g., posters, intranet, brochures, etc.);
�
Management support and reinforcement (e.g., presentations,
meetings, etc.).
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
PR.AT-2: Privileged users understand roles &
responsibilities.
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
Page 7 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for user training and security awareness.
CIP-004-3 R1: Awareness — The Responsible Entity shall establish,
document, implement, and maintain a security awareness program
to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going
reinforcement in sound security practices. The program shall include
security awareness reinforcement on at least a quarterly basis using
mechanisms such as:
�
Direct communications (e.g., emails, memos, computer based
training, etc.);
�
Indirect communications (e.g., posters, intranet, brochures, etc.);
�
Management support and reinforcement (e.g., presentations,
meetings, etc.).
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
1. Policies should contain requirements for user training and security awareness.PR.AT-4: Senior executives understand roles &
responsibilities
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
PR.AT-3: Third-party stakeholders (e.g.,
suppliers, customers, partners) understand
roles & responsibilities
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
CIP-003-3 R2.3: Where allowed by Standards CIP-002-3 through
CIP-009-3, the senior manager may delegate authority for specific
actions to a named delegate or delegates. These delegations shall
be documented in the same manner as R2.1 and R2.2, and
approved by the senior manager.
1. CIP Senior Manager should be able to demonstrate that they understand their roles and
responsibilties. Consider an acknowledgement form.
CIP-004-3 R1: Awareness — The Responsible Entity shall establish,
document, implement, and maintain a security awareness program
to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going
reinforcement in sound security practices. The program shall include
security awareness reinforcement on at least a quarterly basis using
mechanisms such as:
�
Direct communications (e.g., emails, memos, computer based
training, etc.);
�
Indirect communications (e.g., posters, intranet, brochures, etc.);
�
Management support and reinforcement (e.g., presentations,
meetings, etc.).
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for user training and security awareness.
WM-1g
PR.AT-5: Physical and information security
personnel understand roles & responsibilities
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
Page 8 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-004-3 R1: Awareness — The Responsible Entity shall establish,
document, implement, and maintain a security awareness program
to ensure personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets receive on-going
reinforcement in sound security practices. The program shall include
security awareness reinforcement on at least a quarterly basis using
mechanisms such as:
�
Direct communications (e.g., emails, memos, computer based
training, etc.);
�
Indirect communications (e.g., posters, intranet, brochures, etc.);
�
Management support and reinforcement (e.g., presentations,
meetings, etc.).
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-006-3 R1.6: A visitor control program for visitors (personnel
without authorized unescorted access to a Physical Security
Perimeter), containing at a minimum the following:
1. Ensure physical security personnel are trained on the visitor control program and are given tools as
necessary to monitor and manage the program.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Rules for identifying and protecting the confidentiality and integrity of information should be included in
the entity's official security policy. System-related information requiring protection includes items defined
as BES Protected Information.
CIP-003-3 R4: Information Protection — The Responsible Entity
shall implement and document a program to identify, classify, and
protect information associated with Critical Cyber Assets.
1. Formal procedures and processes should be implemented to identify and secure protected information
at rest and data in transit.
Data Security (DS): Information and records (data) are
managed consistent with the organization’s risk
strategy to protect the confidentiality, integrity, and
availability of information.
PR.DS-1: Data-at-rest is protected ACM-1b
TVM-1c
TVM-2c
CPM-3b ACM-1e
TVM-2i
TVM-2n
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. Access control rules for protection of the confidentiality and integrity of information at rest, or
information when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation)
should be used to restrict access to such information.
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Monitoring, detection and prevention of malicious code should be implemented to protect information
at rest.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. Access control rules for protection of the confidentiality and integrity of information at rest, or
information when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation)
should be used to restrict access to such information.
CIP-007-3 R7: Disposal or Redeployment — The Responsible Entity
shall establish and implement formal methods, processes, and
procedures for disposal or redeployment of Cyber Assets within the
Electronic Security Perimeter(s) as identified and documented in
Standard CIP-005-3.
1. Formal procedures and processes should be implemented to sanitize media containing protected
information prior to disposal, release out of organizational control, or release for reuse. Mechanisms
should sanitize information to the strength and integrity commensurate with the security category or
classification of the information.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Rules for protection of the confidentiality and integrity of information transit while on the network or
when using remote access should be included in the entity's official security policy.
CIP-003-3 R4: Information Protection — The Responsible Entity
shall implement and document a program to identify, classify, and
protect information associated with Critical Cyber Assets.
1. Formal procedures and processes should be implemented to identify and secure protected information
at rest and data in transit.
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on
the network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should
be used to restrict access to such information.
PR.DS-2: Data-in-transit is protected ACM-1b
TVM-1c
TVM-2c
CPM-3b ACM-1e
TVM-2i
TVM-2n
Page 9 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. Access control rules for protection of the confidentiality and integrity of information in transit while on
the network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should
be used to restrict access to such information.
2. Access points to a higher security zone should include controls for protecting the data traversing those
boundaries.
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
1. There should be formal procedures and processes to implement secure remote access for the
transmission of protected information. Reference the definition of Interactive Remote Access.
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Monitoring, detection and prevention of malicious code should be implemented to protect information
in transit.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on
the network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should
be used to restrict access to such information.
PR.DS-3: Assets are formally managed
throughout removal, transfers, and disposition
ACM-1a
ACM-1b
ACM-2a
ACM-2b
ACM-3a
ACM-3b
ACM-1c
ACM-1d
ACM-2c
ACM-3c
ACM-3d
ACM-4a
ACM-4b
ACM-4c
ACM-4d
ACM-1e
ACM-1f
ACM-2d
ACM-2e
ACM-3e
ACM-3f
ACM-4e
ACM-4f
ACM-4g
ACM-4h
ACM-4i
CIP-007-3 R7: Disposal or Redeployment — The Responsible Entity
shall establish and implement formal methods, processes, and
procedures for disposal or redeployment of Cyber Assets within the
Electronic Security Perimeter(s) as identified and documented in
Standard CIP-005-3.
1. Formal procedures and processes should be implemented to sanitize media containing protected
information prior to disposal, release out of organizational control, or release for reuse. Mechanisms
should sanitize information to the strength and integrity commensurate with the security category or
classification of the information.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Contingency planning rules should be included in the organization's policy statements.
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
1. Formal procedures and processes should be implemented to protect against or limits the effects of
denial of service attacks. The management of excess capacity, bandwidth, or other redundancy to limit
PR.DS-4: Adequate capacity to ensure
availability is maintained
TVM-1c
TVM-2c
CPM-3b TVM-2i
TVM-2n
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
denial of service attacks. The management of excess capacity, bandwidth, or other redundancy to limit
the effects of information flooding denial of service attacks and counter flooding attacks.
CIP-007-3 R6.4: The Responsible Entity shall retain all logs specified
in Requirement R6 for ninety calendar days.
1. Where possible, ensure capacity monitoring is included in the organizations event log monitoring
program.
CIP-009-3 R1: Recovery Plans — The Responsible Entity shall
create and annually review recovery plan(s) for Critical Cyber
Assets. The recovery plan(s) shall address at a minimum the
following:
1. Formal procedures and processes should be implemented for contingency planning as part of an
overall program for achieving business continuity. Contingency planning addresses both information
system restoration and implementation of alternative mission/business processes when systems are
compromised.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Rules for protection of the confidentiality and integrity of information from data leaks when it is located
on storage devices should be included in the entity's official security policy.
CIP-003-3 R4: Information Protection — The Responsible Entity
shall implement and document a program to identify, classify, and
protect information associated with Critical Cyber Assets.
1. The information protection program can consist of policy controls such as document markings, secure
handling procedures, secure destruction procedures - and technical controls such as access control,
encryption, or digital loss prevention.
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on
the network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should
be used to restrict access to such information.
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. Formal procedures and processes should be implemented to ensure protected information is properly
segmented and enforces flow access controls. Flow access controls should be automatically enforced,
where possible.
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
1. Formal processes and procedures should be implemented to ensure that encrypted information does
not bypass system monitoring capabilities. This includes the proper configuration of encryption
termination points.
PROTECT
(PR)
PR.DS-5: Protections against data leaks are
implemented
TVM-1c
TVM-2c
CPM-3b TVM-2i
TVM-2n
Page 10 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Formal procedures and processes should be implemented to prevent, deter, detect, and mitigate
malicious code that has an intent of allowing data leak.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on
the network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should
be used to restrict access to such information.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. Formal procedures and processes should be implemented to manage system access controls to
prevent data leaks through vulnerable person and system accounts.
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Formal procedures and processes should be implemented to ensure monitoring of event to protect
information from data leaks.
CIP-007-3 R7: Disposal or Redeployment — The Responsible Entity
shall establish and implement formal methods, processes, and
procedures for disposal or redeployment of Cyber Assets within the
Electronic Security Perimeter(s) as identified and documented in
Standard CIP-005-3.
1. The information protection program can consist of policy controls such as document markings, secure
handling procedures, secure destruction procedures - and technical controls such as access control,
encryption, or digital loss prevention.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Rules for the implementation of configuration managment of software, firmware, and information
integrity should be included in the entity's official security policy.
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Formal processes and procedures should be implemented to monitor the approved configuration of
hardware, software, and firmware to detect any unauthorized changes.
PR.DS-6: Integrity checking mechanisms are
used to verify software, firmware, and
information integrity
ACM-3d
Assets pursuant to the change control process.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Rules for the implementation of segregation of production and test environemtns should be included in
the entity's official security policy.
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Formal procedures and processes should be testing of changes to be applied to the production
environment. A designated, separate test environment should be used, where poissible.
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1. Formal procedures and processes should be implemented to properly segregate test and production
network environments.
PR.IP-1: A baseline configuration of
information technology/industrial control
systems is created and maintained
ACM-2a
ACM-2b
ACM-2c ACM-2d
ACM-2e
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Ensure baseline configurations are protected from possible compromise
PR.IP-2: A System Development Life Cycle to
manage systems is implemented
ACM-3d 1. A framework for SDLC can be included in an entity's Change Management and Configuration
Monitoring program
Information Protection Processes and Procedures
(IP): Security policies (that address purpose, scope,
roles, responsibilities, management commitment, and
coordination among organizational entities), processes,
and procedures are maintained and used to manage
protection of information systems and assets.
PR.DS-7: The development and testing
environment(s) are separate from the
production environment
ACM-3c ACM-3e
Page 11 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Change control policies should include broad requirements for what types of activities constitute a
change
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Change control procedures should include specific requirements for what types of activities constitute
a change
CIP-009-3 R4: Backup and Restore — The recovery plan(s) shall
include processes and procedures for the backup and storage of
information required to successfully restore Critical Cyber Assets.
For example, backups may include spare electronic components or
equipment, written documentation of configuration settings, tape
backup, etc.
1. Recovery plans should specific business requirements for data retention and periodicity of backups
CIP-009-3 R5: Testing Backup Media — Information essential to
recovery that is stored on backup media shall be tested at least
annually to ensure that the information is available. Testing can be
completed off site.
1. Recovery plans testing should be on a frequency commensurate with the importance of the asset
2. Recovery plans should be tested subsequent to any major change or upgrade to a system
PR.IP-5: Policy and regulations regarding the
physical operating environment for
organizational assets are met
RM-2b
IAM-2a
RM-3f
IAM-3f
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for the physical operating environment of the cyber system,
including environmental (temperature, moisture, vibration, dust), power (redundant feeds, battery), and
fire-suppression. Policies should contain requirements for environmental monitoring of the physical
operating environment.
PR.IP-6: Data is destroyed according to policy ACM-3d CIP-007-3 R7: Disposal or Redeployment — The Responsible Entity
shall establish and implement formal methods, processes, and
procedures for disposal or redeployment of Cyber Assets within the
1. Implement a management control to test a sampling of retired systems to ensure data is no longer
accessible.
PR.IP-3: Configuration change control
processes are in place
ACM-3a
ACM-3b
ACM-3c
ACM-3d
ACM-3e
ACM-3f
PR.IP-4: Backups of information are
conducted, maintained, and tested periodically
IR-4a
IR-4b
IR-4c
IR-4f IR-4g
IR-4j
procedures for disposal or redeployment of Cyber Assets within the
Electronic Security Perimeter(s) as identified and documented in
Standard CIP-005-3.
PR.IP-7: Protection processes are continuously
improved
TVM-1h CPM-1g CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. The stated goal of the entity's vulnerability assessment program should be the strengthening of
security controls through a process of regular review and assessment
2. Assessments should evaluate the current threat landscape and the ability of existing controls to
mitigate or eliminate the risk
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Results of vulnerability assessments should be communicated to key stakeholders, to include a frank
assessment of the effectiveness of the security controls.
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Results of incident response tests should be communicated to key stakeholders, to include a frank
assessment of the effectiveness of the response actions and security controls.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain language addressing the management of the recovery plans
PR.IP-8: Effectiveness of protection
technologies is shared with appropriate parties
ISC-1a
ISC-1b
ISC-1c
ISC-1d
ISC-1e
ISC-1f
ISC-1g
ISC-2b
ISC-1h
ISC-1i
ISC-1j
ISC-1k
ISC-1l
PR.IP-9: Response plans (Incident Response
and Business Continuity) and recovery plans
(Incident Recovery and Disaster Recovery) are
in place and managed
IR-4c IR-3e
IR-3f
IR-4d
IR-4f
IR-5a
IR-5b
IR-5c
IR-5d
RM-1a
RM-1b
TVM-1d
IR-3k
IR-3m
IR-4i
IR-4j
IR-5e
IR-5f
IR-5g
IR-5h
IR-5i
RM-1c
Page 12 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Plans are in place and managed
CIP-009-3 R1: Recovery Plans — The Responsible Entity shall
create and annually review recovery plan(s) for Critical Cyber
Assets. The recovery plan(s) shall address at a minimum the
following:
1. Plans are in place and managed
CIP-009-3 R3: Change Control — Recovery plan(s) shall be updated
to reflect any changes or lessons learned as a result of an exercise
or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and
implementation of the recovery plan(s) within thirty calendar days of
the change being completed.
1. Plans are in place and managed
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Plans are implemented when required and tested regularlyPR.IP-10: Response and recovery plans are
tested
IR-3e
IR-4f
IR-3k
IR-4i
IR-4j
CIP-009-3 R2: Exercises — The recovery plan(s) shall be exercised
at least annually. An exercise of the recovery plan(s) can range from
a paper drill, to a full operational exercise, to recovery from an actual
incident.
1. Plans are implemented when required and tested regularly
CIP-004-3 R3: Personnel Risk Assessment —The Responsible Entity
shall have a documented personnel risk assessment program, in
accordance with federal, state, provincial, and local laws, and
subject to existing collective bargaining unit agreements, for
personnel having authorized cyber or authorized unescorted physical
access to Critical Cyber Assets. A personnel risk assessment shall
be conducted pursuant to that program prior to such personnel being
granted such access except in specified circumstances such as an
emergency.
1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
CIP-007-3 R3: Security Patch Management — The Responsible
Entity, either separately or as a component of the documented
configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
1. Develop a holistic vulnerability management plan that includes patch management, malicious software
prevention, and regular vulnerability assessments - including scanning where feasible
PR.IP-12: A vulnerability management plan is
developed and implemented
TVM-2d
TVM-2e
TVM-3e
TVM-3f
PR.IP-11: Cybersecurity is included in human
resources practices (e.g., deprovisioning,
personnel screening)
WM-2a
WM-2b
WM-2c
WM-2d
WM-2e
WM-2f
WM-2g
WM-2h
Page 13 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Develop a holistic vulnerability management plan that includes patch management, malicious software
prevention, and regular vulnerability assessments - including scanning where feasible
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Develop a holistic vulnerability management plan that includes patch management, malicious software
prevention, and regular vulnerability assessments - including scanning where feasible
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Maintenance practices should be addressed in, and follow, the organizations change control practices
CIP-006-3 R8: Maintenance and Testing — The Responsible Entity
shall implement a maintenance and testing program to ensure that
all physical security systems under Requirements R4, R5, and R6
function properly. The program must include, at a minimum, the
following:
1. Like in CIP-006-5 R3, entities should consider a formal process for maintaining and testing the
mechanisms used for electronic access control. This should include the testing of the changes prior to
implementation.
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Maintenance practices should be addressed in, and follow, the organizations change control practices
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
1. Formal processes and procedures should be implemented to manage the use of remote access for
performing maintenance functions in accordance with the configuration management program or
process.
Maintenance (MA): Maintenance and repairs of
industrial control and information system components is
performed consistent with policies and procedures.
PR.MA-2: Remote maintenance of
organizational assets is approved, logged, and
performed in a manner that prevents
unauthorized access
SA-1a
IR-1c
IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
IAM-2h
IAM-2i
PR.MA-1: Maintenance and repair of
organizational assets is performed and logged
in a timely manner, with approved and
controlled tools
IAM-2a ACM-1c AMC-3f
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
process.
CIP-006-3 R8: Maintenance and Testing — The Responsible Entity
shall implement a maintenance and testing program to ensure that
all physical security systems under Requirements R4, R5, and R6
function properly. The program must include, at a minimum, the
following:
1. Like in CIP-006-5 R3, entities should consider a formal process for maintaining and testing the
mechanisms used for electronic access control. This should include the testing of the changes prior to
implementation.
CIP-006-3 R1.6: A visitor control program for visitors (personnel
without authorized unescorted access to a Physical Security
Perimeter), containing at a minimum the following:
1. Formal processes and procedures should be implemented to log successful and unsuccessful access
attempts.
CIP-006-3 R2: Protection of Physical Access Control Systems —
Cyber Assets that authorize and/or log access to the Physical
Security Perimeter(s), exclusive of hardware at the Physical Security
Perimeter access point such as electronic lock control mechanisms
and badge readers, shall:
CIP-006-3 R2.1: Be protected from unauthorized physical access.
1. Formal processes and procedures should be implemented to monitor for unauthorized access.
CIP-006-3 R6: Logging Physical Access — Logging shall record
sufficient information to uniquely identify individuals and the time of
access twenty-four hours a day, seven days a week. The
Responsible Entity shall implement and document the technical and
procedural mechanisms for logging physical entry at all access
points to the Physical Security Perimeter(s) using one or more of the
following logging methods or their equivalent:
�
Computerized Logging: Electronic logs produced by the Responsible
Entity’s selected access control and monitoring method.
�
Video Recording: Electronic capture of video images of sufficient
quality to determine identity.
�
Manual Logging: A log book or sign-in sheet, or other record of
physical access maintained by security or other personnel
authorized to control and monitor physical access as specified in
Requirement R4.
1. Formal processes and procedures should be implemented to log successful and unsuccessful access
attempts.
Protective Technology (PT): Technical security
solutions are managed to ensure the security and
resilience of systems and assets, consistent with
related policies, procedures, and agreements.
PR.PT-1: Audit/log records are determined,
documented, implemented, and reviewed in
accordance with policy
SA-1a
SA-2a
SA-1b
SA-1c
SA-2e
SA-4a
SA-1d
SA-1e
SA-3d
SA-4e
Page 14 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-006-3 R7: Access Log Retention — The Responsible Entity shall
retain physical access logs for at least ninety calendar days. Logs
related to reportable incidents shall be kept in accordance with the
requirements of Standard CIP-008-3.
1. Formal processes and procedures should be implemented to retain audit logs.
CIP-006-3 R7: Access Log Retention — The Responsible Entity shall
retain physical access logs for at least ninety calendar days. Logs
related to reportable incidents shall be kept in accordance with the
requirements of Standard CIP-008-3.
1. Formal processes and procedures should be implemented to retain audit logs.
CIP-007-3 R6.4: The Responsible Entity shall retain all logs specified
in Requirement R6 for ninety calendar days.
1. Formal processes and procedures should be implemented to retain audit logs.
CIP-007-3 R6.5: The Responsible Entity shall review logs of system
events related to cyber security and maintain records documenting
review of logs.
1. Formal processes and procedures should be implemented to ensure receipt of required audit logs and
identify failures of logging capabilities.
PR.PT-2: Removable media is protected and its
use restricted according to policy
IAM-2a
IAM-2b
IAM-1c
IAM-2c IAM-2e
IAM-3f
IAM-1i
1. This requirement will be addressed in CIP version 6
CIP-004-3 R4.2: The Responsible Entity shall revoke such access to
Critical Cyber Assets within 24 hours for personnel terminated for
cause and within seven calendar days for personnel who no longer
require such access to Critical Cyber Assets.
1. A formal procedure or process should be defined for revoking logical system access and shared
account access. The procedure or process should ensure that the triggering events (e.g.: termination,
promotion, job transfer) for access revocation are clearly stated and how those events are incorporated
into access revocation processes. This can be accomplished through a written procedure or documented
workflow.
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
1. There should be formal procedure or process to monitor and control remote access.
CIP-007-3 R5.1: The Responsible Entity shall ensure that individual
and shared system accounts and authorized access permissions are
consistent with the concept of “need to know” with respect to work
functions performed.
1. A formal procedure or process should be defined for managing logical system access. The procedure
or process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
1. There should be a formal procedure or process for managing system access controls to protect
systems from unauthorized access. The procedure or process should define: (1) the use of authentication
PR.PT-3: Access to systems and assets is
controlled, incorporating the principle of least
functionality
IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
IAM-2h
IAM-2i
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
systems from unauthorized access. The procedure or process should define: (1) the use of authentication
methods; (2) management of default accounts provided by vendors and accounts shared by multiple
people; (3) management of all entity-defined accounts shared by multiple people, including generic,
service, and administrator accounts; (4) implementation of password requirements, including complexity
and periodic changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.
CIP-005-3 R1: Electronic Security Perimeter — The Responsible
Entity shall ensure that every Critical Cyber Asset resides within an
Electronic Security Perimeter. The Responsible Entity shall identify
and document the Electronic Security Perimeter(s) and all access
points to the perimeter(s).
1.There should be formal procedure or process to secure communications and control networks.
CIP-005-3 R2: Electronic Access Controls — The Responsible Entity
shall implement and document the organizational processes and
technical and procedural mechanisms for control of electronic
access at all electronic access points to the Electronic Security
Perimeter(s).
1. There should be formal procedure or process to secure communications and control networks using
remote access.
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
1. Rules for the implementation of access control to communications and control network protections
should be included in the entity's official security policy.
DE.AE-1: A baseline of network operations and
expected data flows for users and systems is
established and managed
SA-2b SA-2e 1. Baseline network monitoring practices can be integrated within the entity's CIP-005-5 R1.5 Malicious
Communications program, CIP-007-5 R3 Malicious Code Prevention program, and/or CIP-010-1 R2
Change Monitoring program.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Security policy must include intrusion detection and a process for analzying detected events including
target and attack methodology.
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Monitoring tools and log sources should be configured to collect event data at a level of granularity
necessary to effectively analyze the event.
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Response plans should include processes for detailed analysis of the event, and a feedback loop to
ensure the same event will be more effectively detected or prevented in the future.
Anomalies and Events (AE): Anomalous activity is
detected in a timely manner and the potential impact of
events is understood.
DE.AE-2: Detected events are analyzed to
understand attack targets and methods
IR-2i
IR-3h
PR.PT-4: Communications and control
networks are protected
CPM-3a CPM-3b
CPM-3c
CPM-3d
Page 15 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
DE.AE-3: Event data are aggregated and
correlated from multiple sources and sensors
IR-1e IR-1f
IR-2i
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Select and implement security event logging and monitoring tools that can analyze events from
multiple sources and are capable of alerting based on correlated events
DE.AE-4: Impact of events is determined IR-2b IR-2d IR-2g CIP-008-3 R1.2: Response actions, including roles and
responsibilities of Cyber Security Incident response teams, Cyber
Security Incident handling procedures, and communication plans.
1. Must have a procedure for classifying, e.g., analyzing impact, of events.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should address thresholds for invoking the response plans
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Response to incidents should be triggered based on thresholds established with the plan and per the
entity's policies
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Roles and responsibilities of personnel as it relates to detected security events should be defined as
well as training programs necessary to disseminate the required information.
CIP-003-3 R2.3: Where allowed by Standards CIP-002-3 through
CIP-009-3, the senior manager may delegate authority for specific
actions to a named delegate or delegates. These delegations shall
be documented in the same manner as R2.1 and R2.2, and
approved by the senior manager.
1. Roles of any delegates specified by the CIP Senior Manager related to security event detection or
response should be documented
CIP-003-3 R2: Leadership — The Responsible Entity shall assign a
single senior manager with overall responsibility and authority for
leading and managing the entity’s implementation of, and adherence
to, Standards CIP-002-3 through CIP-009-3.
1. Role of the CIP Senior Manager in security event detection or response should be documented where
appropriate
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
1. Response actions for detected malicious code should include clear and pre-defined roles and
responsibilities
Detection Processes (DP): Detection Processes (DP):
Detection processes and procedures are maintained
and tested to ensure timely and adequate awareness of
anomalous events.
DE.DP-1: Roles and responsibilities for
detection are well defined to ensure
accountability
IR-1a
IR-3a
WM-1a
WM-1b
WM-1d WM-1f
WM-1h
DE.AE-5: Incident alert thresholds are
established
IR-2d
TVM-1d
SA-2d
IR-2g
RM-2j
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Response actions for detected malicious code should include clear and pre-defined roles and
responsibilities
DE.DP-2: Detection activities comply with all
applicable requirements
IR-1d IR-1g
IR-5f
RM-1c
RM-2j
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. When preparing after-action reports for a security event, ensure processes include a review of
responses against applicable company policies and external regulations
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Staff can be effectively trained on security event response by testing detection technologies and
observing the response. For instance, regularly submit an EICAR file to a non-production cyber asset to
test the malware detection/prevention system.
CIP-006-3 R8: Maintenance and Testing — The Responsible Entity
shall implement a maintenance and testing program to ensure that
all physical security systems under Requirements R4, R5, and R6
function properly. The program must include, at a minimum, the
following:
1. Physical access controls are routinely tested
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Detection tools can be tested during incident response drills
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain language addressing the notification of stakeholders of an event that meets
documented thresholds
DE.DP-4: Event detection information is
communicated to appropriate parties
IR-1b
IR-3c
ISC-1a
ISC-1c
ISC-1d
IR-3n
ISC-1h
DE.DP-3: Detection processes are tested IR-3e IR-3j
Page 16 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Event summaries should be communicated to key stakeholders, to include a frank assessment of the
effectiveness of the response actions and security controls.
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Event summaries should be communicated to key stakeholders, to include a frank assessment of the
effectiveness of the response actions and security controls.
DE.DP-5: Detection processes are continuously
improved
IR-3h IR-3k CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. The stated goal of the incident response testing program should be the strengthening of security
controls through a process of regular review and assessment
2. Incident tests should be structured to emulate the current threat landscape and the assess the ability of
existing controls to mitigate or eliminate the risk
DE.CM-1: The network is monitored to detect
potential cybersecurity events
SA-2a
SA-2b
SA-2e
SA-2f
SA-2g
SA-2i
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Monitoring of network access points is specified in CIP-005-5 R1.5
2. Monitoring can be enhanced by including analysis of traffic within the security perimeter
CIP-006-3 R1.6: A visitor control program for visitors (personnel
without authorized unescorted access to a Physical Security
Perimeter), containing at a minimum the following:
1. Program should specify monitoring of visitors within a secure perimeter (human and/or electronic
monitoring)
CIP-006-3 R1: Physical Security Plan — The Responsible Entity
shall document, implement, and maintain a physical security plan,
approved by the senior manager or delegate(s) that shall address, at
a minimum, the following:
1. Plan should specify technical and procedural controls for monitoring the physical environment
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should make clear that end-user activities will be monitored
CIP-007-3 R5: Account Management — The Responsible Entity
shall establish, implement, and document technical and procedural
1. Access controls should configured to properly log events related to personnel usage activities
DETECT
(DE)
Security Continuous Monitoring (CM): The
information system and assets are monitored at
discrete intervals to identify cybersecurity events and
verify the effectiveness of protective measures.
DE.CM-3: Personnel activity is monitored to
detect potential cybersecurity events
SA-2a
SA-2b
SA-2i
DE.CM-2: The physical environment is
monitored to detect potential cybersecurity
events
SA-2a
SA-2b
SA-2i
shall establish, implement, and document technical and procedural
controls that enforce access authentication of, and accountability
for, all user activity, and that minimize the risk of unauthorized
system access.
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Monitoring tools should be capable of detecting interactive (personnel) activities separate from non-
interactive (machine to machine) activities
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for malware controls for any device initiating an interactive
remote access session
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Processes should include criteria and thresholds for invoking incident response plans for detected
malicious code
CIP-003-3 R6: Change Control and Configuration Management —
The Responsible Entity shall establish and document a process of
change control and configuration management for adding,
modifying, replacing, or removing Critical Cyber Asset hardware or
software, and implement supporting configuration management
activities to identify, control and document all entity or vendor-related
changes to hardware and software components of Critical Cyber
Assets pursuant to the change control process.
1. Configuration monitoring procedures can be enhanced to include active monitoring of mobile device
code, for any such assets that are in scope for NERC CIP including devices used for maintenance and
testing
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Processes should include criteria and thresholds for invoking incident response plans for detected
malicious code
DE.CM-6: External service provider activity is
monitored to detect potential cybersecurity
events
EDM-2a
SA-2a
SA-2b
EDM-2j
EDM-2l
EDM-2n
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Electronic perimeter monitoring should include technical or procedural controls to detect potential
cybersecurity events sourced from an external service provider
DE.CM-5: Unauthorized mobile code is
detected
SA-2a
SA-2b
SA-2e SA-2h
SA-2i
DE.CM-4: Malicious code is detected SA-2a
SA-2b
SA-2e
CPM-4a
SA-2i
Page 17 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain requirements for authorization of access
2. Personnel should be made aware that the entity is monitoring for unauthorized access
CIP-004-3 R3: Personnel Risk Assessment —The Responsible Entity
shall have a documented personnel risk assessment program, in
accordance with federal, state, provincial, and local laws, and
subject to existing collective bargaining unit agreements, for
personnel having authorized cyber or authorized unescorted physical
access to Critical Cyber Assets. A personnel risk assessment shall
be conducted pursuant to that program prior to such personnel being
granted such access except in specified circumstances such as an
emergency.
1. Personnel authorized to attain or retain authorized access to electronic or unescorted physical access
to BES cyber systems shall have a process identified to authenticate the individual and perform
appropriate background checks.
2. Personnel risk management program should stipulate consequences for violating policies related to
access management
CIP-006-3 R2: Protection of Physical Access Control Systems —
Cyber Assets that authorize and/or log access to the Physical
Security Perimeter(s), exclusive of hardware at the Physical Security
Perimeter access point such as electronic lock control mechanisms
and badge readers, shall:
CIP-006-3 R2.1: Be protected from unauthorized physical access.
1. Monitor for unauthorized personnel
CIP-006-3 R5: Monitoring Physical Access — The Responsible
Entity shall document and implement the technical and procedural
controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a
week. Unauthorized access attempts shall be reviewed immediately
and handled in accordance with the procedures specified in
Requirement CIP-008-3. One or more of the following monitoring
methods shall be used:
�
Alarm Systems: Systems that alarm to indicate a door, gate or
window has been opened without authorization. These alarms must
provide for immediate notification to personnel responsible for
response.
�
Human Observation of Access Points: Monitoring of physical access
points by authorized personnel as specified in Requirement R4.
1. Monitor for unauthorized personnel
DE.CM-7: Monitoring for unauthorized
personnel, connections, devices, and software
is performed
SA-2a
SA-2b
SA-2e
SA-2f
SA-2g
SA-2i
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Monitor for unauthorized access to a protected device
2. Monitor for unauthorized remote access to a protected network
3. Monitor for unauthorized devices within a protected network
4. Monitor for unauthorized software in conjunction with CIP-010-1 R2
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should make clear the stakeholders expectations of the vulnerability assessment program
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Where malicious code prevention processes utilize signature-based protections, ensure scans are
performed subsequent to any update to those signatures
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. If active assessment of a production environment is performed it should be done in a way that
minimizes the potential of adverse consequences. New cyber assets should be actively tested prior to
deployment in a production system.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should include language that communicates management's expectations for responding to
alerts from detection systems
Analysis (AN): Analysis is conducted to ensure
adequate response and support recovery activities.
DE.CM-8: Vulnerability scans are performed TVM-2e TVM-2i
RS.AN-1: Notifications from detection systems
are investigated
IR-1e
SA-3a
IR-1f
IR-1h
Page 18 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-006-3 R5: Monitoring Physical Access — The Responsible
Entity shall document and implement the technical and procedural
controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a
week. Unauthorized access attempts shall be reviewed immediately
and handled in accordance with the procedures specified in
Requirement CIP-008-3. One or more of the following monitoring
methods shall be used:
�
Alarm Systems: Systems that alarm to indicate a door, gate or
window has been opened without authorization. These alarms must
provide for immediate notification to personnel responsible for
response.
�
Human Observation of Access Points: Monitoring of physical access
points by authorized personnel as specified in Requirement R4.
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
RS.AN-2: The impact of the incident is
understood
IR-2d
IR-2g
IR-2d
TVM-1d
IR-2g
RM-2j
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. When implementing an incident response plan, response personnel should take deliberate actions only
when the impact of the incident and their actions are understood
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policy should establish criteria for when and how forensic data is collected, handled, and analyzedRS.AN-3: Forensics are performed IR-3d IR-3i
following:
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures should include steps for how forensic data is collected, handled, and analyzed
1. Forensics activities are performed when specified in the response plans
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policy should establish a classification model for security events
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures should follow an established classification model to ensure that security events can be
responded to quickly based on general characteristics
CIP-004-3 R2: Training — The Responsible Entity shall establish,
document, implement, and maintain an annual cyber security
training program for personnel having authorized cyber or authorized
unescorted physical access to Critical Cyber Assets. The cyber
security training program shall be reviewed annually, at a minimum,
and shall be updated whenever necessary.
1. Goal of the training should be that personnel know their roles and order of operations when a
response is needed
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Roles and responsibilities of personnel as it relates to incident response should be defined within each
plan
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies can be used to document management's expectations for incident reporting
Communications (CO): Response activities are
coordinated with internal and external stakeholders, as
appropriate, to include external support from law
enforcement agencies.
RS.CO-1: Personnel know their roles and order
of operations when a response is needed
IR-3a IR-5a
IR-5b
RS.CO-2: Events are reported consistent with
established criteria
IR-1a
IR-1b
RS.AN-4: Incidents are categorized consistent
with response plans
IR-2a IR-1d
IR-1e
IR-2d
TVM-1d
IR-2g
RM-1c
Page 19 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-006-3 R5: Monitoring Physical Access — The Responsible
Entity shall document and implement the technical and procedural
controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a
week. Unauthorized access attempts shall be reviewed immediately
and handled in accordance with the procedures specified in
Requirement CIP-008-3. One or more of the following monitoring
methods shall be used:
�
Alarm Systems: Systems that alarm to indicate a door, gate or
window has been opened without authorization. These alarms must
provide for immediate notification to personnel responsible for
response.
�
Human Observation of Access Points: Monitoring of physical access
points by authorized personnel as specified in Requirement R4.
1. Reporting reporting criteria should address events detected at physical access points
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Reporting reporting criteria should address events detected at electronic access points
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Reporting reporting criteria should address events detected by monitoring tools
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures for event reporting should be specified within each response plan
RS.CO-3: Information is shared consistent with
response plans
ISC-1a
ISC-1b
IR-3d
ISC-1c
ISC-1d
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures for event reporting should be specified within each response plan
address, at a minimum, the following:
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies can be used to document management's expectations for incident reporting and coordination
with stakeholders
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures for event reporting should be specified within each response plan
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies can be used to document management's expectations for incident reporting and coordination
with stakeholders
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Procedures for information sharing should be specified within each response plan
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain language that communicates management's requirements for strengthening
response plans by incorporating findings from lessons-learned analysis
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Response plans should be written to include references to lessons-learned or procedural
enhancements that were the result of a prior incident
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain language that communicates management's requirements for reviewing and
updating incident response plans
RESPOND
(RS)
Improvements (IM): Organizational response activities
are improved by incorporating lessons learned from
current and previous detection/response activities.
RS.IM-1: Response plans incorporate lessons
learned
IR-3h
RS.IM-2: Response strategies are updated IR-3e IR-3k
RS.CO-4: Coordination with stakeholders
occurs consistent with response plans
IR-3d
IR-5b
RS.CO-5: Voluntary information sharing occurs
with external stakeholders to achieve broader
cybersecurity situational awareness
ISC-1a
ISC-1b
IR-3c
ISC-1c
ISC-1d
ISC-1e
ISC-1f
ISC-1h
ISC-1i
ISC-1j
ISC-1k
ISC-1l
Page 20 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Plans should be reviewed and updated according to the periodicity specified in the policy
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-006-3 R5: Monitoring Physical Access — The Responsible
Entity shall document and implement the technical and procedural
controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a
week. Unauthorized access attempts shall be reviewed immediately
and handled in accordance with the procedures specified in
Requirement CIP-008-3. One or more of the following monitoring
methods shall be used:
�
Alarm Systems: Systems that alarm to indicate a door, gate or
window has been opened without authorization. These alarms must
provide for immediate notification to personnel responsible for
response.
�
Human Observation of Access Points: Monitoring of physical access
points by authorized personnel as specified in Requirement R4.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at physical access points
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at electronic access points
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by malicious code prevention systems
Mitigation (MI): Activities are performed to prevent
expansion of an event, mitigate its effects, and
eradicate the incident.
RS.MI-1: Incidents are contained IR-3b
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by event monitoring systems
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Incident response procedures should specify a model of containment, eradication, and recovery
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-006-3 R5: Monitoring Physical Access — The Responsible
Entity shall document and implement the technical and procedural
controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a
week. Unauthorized access attempts shall be reviewed immediately
and handled in accordance with the procedures specified in
Requirement CIP-008-3. One or more of the following monitoring
methods shall be used:
�
Alarm Systems: Systems that alarm to indicate a door, gate or
window has been opened without authorization. These alarms must
provide for immediate notification to personnel responsible for
response.
�
Human Observation of Access Points: Monitoring of physical access
points by authorized personnel as specified in Requirement R4.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at physical access points
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at electronic access points
RS.MI-2: Incidents are mitigated IR-3b
Page 21 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by malicious code prevention systems
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by event monitoring systems
CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Incident response procedures should specify a model of containment, eradication, and recovery
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Policies should contain language that communicates management's requirements for addressing
newly identified vulnerabilities
CIP-007-3 R3: Security Patch Management — The Responsible
Entity, either separately or as a component of the documented
configuration management process specified in CIP-003-3
Requirement R6, shall establish, document and implement a security
patch management program for tracking, evaluating, testing, and
installing applicable cyber security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
1. Patch management plans should include procedures for addressing zero-day or imminent threat
vulnerabilities
CIP-007-3 R4: Malicious Software Prevention — The Responsible
Entity shall use anti-virus software and other malicious software
(“malware”) prevention tools, where technically feasible, to detect,
prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
1. Malicious code prevention plans should include procedures for addressing zero-day or imminent threat
vulnerabilities
CIP-007-3 R8: Cyber Vulnerability Assessment — The Responsible
Entity shall perform a cyber vulnerability assessment of all Cyber
Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
1. Vulnerability management plans should include procedures for notification of and response to zero-day
or imminent threat vulnerabilities
RS.MI-3: Newly identified vulnerabilities are
mitigated or documented as accepted risks
TVM-2c TVM-2f
TVM-2g
RM-2j
TVM-2m
TVM-2n
vulnerability assessment shall include, at a minimum, the following:
Response Planning (RP): Response processes and
procedures are executed and maintained, to ensure
timely response to detected cybersecurity events.
RS.RP-1: Response plan is executed during or
after an event
IR-3d CIP-008-3 R1: Cyber Security Incident Response Plan — The
Responsible Entity shall develop and maintain a Cyber Security
Incident response plan and implement the plan in response to Cyber
Security Incidents. The Cyber Security Incident response plan shall
address, at a minimum, the following:
1. Response plan is executed during or after an event
RC.CO-1: Public Relations are managed TVM-1d
IR-4d
RM-1c 1. Within the context of the incident and emergency response program, define a communications plan
that specifically addresses external stakeholders
2. Create pre-defined templates for communications in response to predictable events
RC.CO-2: Reputation after an event is repaired IR-4d 1. Within the context of the incident and emergency response program, define a communications plan
that specifically addresses external stakeholders
2. Create pre-defined templates for communications in response to predictable events
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Ensure security policy defines criteria for communications to all stakeholders
CIP-009-3 R1: Recovery Plans — The Responsible Entity shall
create and annually review recovery plan(s) for Critical Cyber
Assets. The recovery plan(s) shall address at a minimum the
following:
1. Ensure recovery plans include communications criteria based on severity of event
CIP-009-3 R3: Change Control — Recovery plan(s) shall be updated
to reflect any changes or lessons learned as a result of an exercise
or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and
implementation of the recovery plan(s) within thirty calendar days of
the change being completed.
1. Update communications protocols as necessary to match the changing business
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Ensure security policy defines criteria for managing updates to recovery plans
Communications (CO): Restoration activities are
coordinated with internal and external parties, such as
coordinating centers, Internet Service Providers,
owners of attacking systems, victims, other CSIRTs,
and vendors.
Improvements (IM): Improvements (IM): Recovery
planning and processes are improved by incorporating
lessons learned into future activities.
RC.IM-1: Recovery plans incorporate lessons
learned
IR-3h
IR-4i
IR-3k
RC.CO-3: Recovery activities are
communicated to internal stakeholders and
executive and management teams
IR-3d IR-5e
Page 22 of 23
MIL 1 MIL 2 MIL 3NERC CIP v3
Mapping of NIST Cybersecurity Framework to NERC CIP version 3
Nov-14
Function Category Subcategory
C2M2 Practices **
Guidance for combined NERC CIP v3 & NIST CSF
CIP-009-3 R3: Change Control — Recovery plan(s) shall be updated
to reflect any changes or lessons learned as a result of an exercise
or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and
implementation of the recovery plan(s) within thirty calendar days of
the change being completed.
1. Ensure response plans define a process for after-action review of all activities associated with a real or
simulated event, including a defined communications plan.
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Ensure security policy defines criteria for managing updates to recovery plans
CIP-009-3 R3: Change Control — Recovery plan(s) shall be updated
to reflect any changes or lessons learned as a result of an exercise
or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and
implementation of the recovery plan(s) within thirty calendar days of
the change being completed.
1. Ensure response plans are informed by the risk program, and are routinely updated
CIP-003-3 R1: Cyber Security Policy — The Responsible Entity shall
document and implement a cyber security policy that represents
management’s commitment and ability to secure its Critical Cyber
Assets. The Responsible Entity shall, at minimum, ensure the
following:
1. Define expectations and roles and responsibilities within the security policy. Include contingencies and
management practices where policy provisions can be suspended and tracked in response to emergency
events.
CIP-007-3 R6: Security Status Monitoring — The Responsible Entity
shall ensure that all Cyber Assets within the Electronic Security
Perimeter, as technically feasible, implement automated tools or
organizational process controls to monitor system events that are
related to cyber security.
1. Ensure a clear escalation path exists between routine system monitoring activities and the recovery
plans.
CIP-009-3 R1: Recovery Plans — The Responsible Entity shall
create and annually review recovery plan(s) for Critical Cyber
Assets. The recovery plan(s) shall address at a minimum the
following:
1. Establish an enterprise emergency response capability that addresses assets in multiple security
zones, and recovery plans give precedence to higher risk systems.
CIP-009-3 R3: Change Control — Recovery plan(s) shall be updated
to reflect any changes or lessons learned as a result of an exercise
or the recovery from an actual incident. Updates shall be
communicated to personnel responsible for the activation and
implementation of the recovery plan(s) within thirty calendar days of
the change being completed.
1. Establish an enterprise emergency response capability that addresses assets in multiple security
zones, and recovery plans give precedence to higher risk systems.
Recovery Planning (RP): Recovery processes and
procedures are executed and maintained to ensure
timely restoration of systems or assets affected by
cybersecurity events.
RECOVER
(RC)
RC.RP-1: Recovery plan is executed during or
after an event
IR-3b IR-3o
IR-4k
RC.IM-2: Recovery strategies are updated IR-3h
IR-3k
Abbrevi-
ationDomain
ACM Asset, Change, and Configuration Management
CPM Cybersecurity Program Management
EDMSupply Chain and External Dependancies Management
IAM Identity and Access Management
IREvent and Incident Response, Continuity of Operations
ISC Information Sharing and Communications
RM Risk Management
SA Situational Awareness
TVM Threat and Vulnerability Management
WM Workforce Management
** C2M2 Domains and Abbreviations
Page 23 of 23
MIL 1 MIL 2 MIL 3
CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Ensure inventory includes assets in all security zones
2. Must establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which
perform BES reliability operating services (BROS) and evaluate the potential for adverse impact that the
loss, compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).
CIP-002-5.1 R2: The Responsible Entity shall: (2.1) Review the
identifications in Requirement R1 and its parts (and update them if
there are changes identified) at least once every 15 calendar months,
even if it has no identified items in Requirement R1, and; (2.2) Have
its CIP Senior Manager or delegate approve the identifications
required by Requirement R1 at least once every 15 calendar months,
even if it has no identified items in Requirement R1.
1. Perform zone-level inventories regularly and compare with previous iterations
2. Results are reviewed by a person with authority to approve
CIP-003-5 R2: Each Responsible Entity for its assets identified in
CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). (2.1) Cyber
security awareness; (2.2) Physical security controls; (2.3) Electronic
access controls for external routable protocol connections and Dial‐up
Connectivity; and (2.4) Incident response to a Cyber Security Incident.
1. Policy language should address inventory and asset management
CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Ensure inventory includes assets in all security zones
2 Ensure for all registered functions that all BES reliability operating services preformed are identified and
evaluated. Reference CIP-002-5.1 Guidelines and Technical Basis.
- Dynamic Response to BES conditions
- Balancing Load and Generation
- Controlling Frequency (Real Power)
- Controlling Voltage (Reactive Power)
- Managing Constraints
- Monitoring & Control
- Restoration of BES
- Situational Awareness
- Inter‐Entity Real‐Time Coordination and Communication
CIP-002-5.1 R2: The Responsible Entity shall: (2.1) Review the
identifications in Requirement R1 and its parts (and update them if
there are changes identified) at least once every 15 calendar months,
even if it has no identified items in Requirement R1, and; (2.2) Have
its CIP Senior Manager or delegate approve the identifications
required by Requirement R1 at least once every 15 calendar months,
even if it has no identified items in Requirement R1.
1. Ensure reviews include participation of all NERC registered functions at a minimum.
CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Communication and data flow documentation should include any communication and data flows between
BES Cyber Systems and other systems such as business systems, physical security systems, etc.
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
ID.AM-1: Physical devices and systems within
the organization are inventoried
ACM-1a ACM-1c ACM-1e
ACM-1f
ID.AM-2: Software platforms and applications
within the organization are inventoried
ACM-1b ACM-1c ACM-1e
ACM-1f
ID.AM-3: Organizational communication and
data flows are mapped
RM-2g ACM-1e
Asset Management (AM): The data, personnel,
devices, systems, and facilities that enable the
organization to achieve business purposes are identified
and managed consistent with their relative importance to
business objectives and the organization’s risk strategy.
Page 1 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Ensure organizational policies include a reference to the CIP Senior Manager's role in approving
cybersecurity policies for NERC CIP systems.
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. Diagrams for CIP-005-5 should include data flows in addition to logical & physical connectivity
2. Data flows should be classified according to the sensitivity of the information
CIP-011-1 R1: Each Responsible Entity shall implement, in a Manner
that identifies, assesses, and corrects deficiencies, one or more
documented information protection program(s) that collectively
includes each of the applicable requirement parts in CIP‐011‐1 Table
R1 – Information Protection.
1. Diagrams for CIP-005-5 should include data flows in addition to logical & physical connectivity
2. Data flows should be classified according to the sensitivity of the information
CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Ensure inventory includes assets in all security zones
2. Must establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which
perform BES reliability operating services (BROS) and evaluate the potential for adverse impact that the
loss, compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).
CIP-002-5.1 R2: The Responsible Entity shall: (2.1) Review the
identifications in Requirement R1 and its parts (and update them if
there are changes identified) at least once every 15 calendar months,
even if it has no identified items in Requirement R1, and; (2.2) Have
1. Perform zone-level inventories regularly and compare with previous iterations
2. Results are reviewed by a person with authority to approve
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policy language should address inventory and asset management
CIP-003 R2: Each Responsible Entity for its assets identified in CIP-
002-5, Requirement R1, Part R1.3, shall implement, in a manner that
identifies, assesses, and corrects deficiencies,
one or more documented cyber security policies that collectively
address the following topics, and review and obtain CIP Senior
Manager approval for those policies at least once every 15 calendar
months: [Violation Risk Factor: Lower] [Time Horizon: Operations
Planning]
2.1 Cyber security awareness;
2.2 Physical security controls;
2.3 Electronic access controls for external routable protocol
connections and Dial-up Connectivity; and
2.4 Incident response to a Cyber Security Incident.
An inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required.
1. Policy language should address inventory and asset management
2. Policy language should address criteria for connecting external information systems
3. Information systems should be considered 'external' if they interconnect across security zones
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. Ensure documentation include a reason for each inbound/outbound access flow
2. Ensure inventory includes assets in all security zones
3. Establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which perform
BES reliability operating services (BROS) and evaluate the potential for adverse impact that the loss,
compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).
ID.AM-4: External information systems are
catalogued
EDM-1a EDM-1c
EDM-1e
EDM-1g
RM-1c
Page 2 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Ensure inventory includes assets in all security zones
2. Establish a methodology that identifies the Bulk Electric System (BES) Cyber Systems which perform
BES reliability operating services (BROS) and evaluate the potential for adverse impact that the loss,
compromise, or misuse would have on the reliable operation of the Bulk Electric System (BES).
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policy language should address inventory and asset management
2. Inventories should include classification, criticality, and business value
CIP-003 R2: Each Responsible Entity for its assets identified in CIP-
002-5, Requirement R1, Part R1.3, shall implement, in a manner that
identifies, assesses, and corrects deficiencies,
one or more documented cyber security policies that collectively
address the following topics, and review and obtain CIP Senior
Manager approval for those policies at least once every 15 calendar
months: [Violation Risk Factor: Lower] [Time Horizon: Operations
Planning]
2.1 Cyber security awareness;
2.2 Physical security controls;
2.3 Electronic access controls for external routable protocol
connections and Dial-up Connectivity; and
2.4 Incident response to a Cyber Security Incident.
An inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required.
1. Policy language should address inventory and asset management
2. Inventories should include classification, criticality, and business value
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. Ensure inventory includes assets in all security zones
2. Ensure CIP-005-5 diagrams are coded to highlight classification, criticality, and business value for each
BES Cyber System
CIP-009-5 R1 - 1.1: Each Responsible Entity shall have one or more
documented recovery plans that collectively include each of the
applicablerequirement parts in CIP‐009‐5 Table R1:
1.1 Conditions for activation of the recovery plan(s).
1. Recovery plans should be priorities based on classification, criticality, and business value
CIP-003-5 R1 - 1.1: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Personnel & training (CIP‐004)
1. Ensure policy includes cybersecurity roles and responsibilities for the entire workforce, including third-
party stakeholders
CIP-003-5 R3: Each Responsible Entity shall identify a CIP Senior
Manager by name and document any change within 30 calendar days
of the change.
1. Clearly define the boundaries of the responsibilities of the CIP Senior Manager
ID.AM-5: Resources (e.g., hardware, devices,
data, and software) are prioritized based on their
classification, criticality, and business value
ACM-1a
ACM-1b
ACM-1c
ACM-1d
ID.AM-6: Cybersecurity roles and
responsibilities for the entire workforce and third-
party stakeholders (e.g., suppliers, customers,
partners) are established
WM-1a
WM-1b
WM-1c
Page 3 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R4: The Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, a documented
process to delegate authority, unless no delegations are used. Where
allowed by the CIP Standards, the CIP Senior Manager may delegate
authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the
delegate, the specific actions delegated, and the date of the
delegation; approved by the CIP Senior Manager; and updated within
30 days of any change to the delegation. Delegation changes do not
need to be reinstated with a change to the delegator.
1. Clearly define the responsibilities of the person or department responsible for cybersecurity issues
related to third-party stakeholders
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. Ensure cybersecurity provisioning procedures include handling of third-party access requests
2. Ensure cybersecurity staff are trained on access management procedures and policies related to third-
party access requests
ID.BE-1: The organization’s role in the supply
chain is identified and communicated
EDM-1b EDM-1d EDM-1f
EDM-1g
RM-1c
1. Clearly define the responsibilities of the person or department responsible for cybersecurity issues
related to third-party stakeholders
ID.BE-2: The organization’s place in critical
infrastructure and its industry sector is identified
and communicated
EDM-1b EDM-1d
CPM-1c
EDM-1f
EDM-1g
RM-1c
1. Opportunities to communicate the organizations place in critical infrastructure include: security
awareness, annual cybersecurity training, and organizational policies
ID.BE-3: Priorities for organizational mission,
objectives, and activities are established and
communicated
RM-3b RM-1c 1. Opportunities to communicate the organizations mission, objectives, and activities include: security
awareness, annual cybersecurity training, and organizational policies
ID.BE-4: Dependencies and critical functions for
delivery of critical services are established
ACM-1a
ACM-1b
EDM-1a
ACM-1c
ACM-1d
EDM-1c
EDM-1e
ACM-1e
ACM-1f
RM-1c
EDM-1g
CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Ensure identification of cyber assets, electronic access points, and data flows that facilitate delivery of
critical services that are supported by networks other than those subject to NERC CIP
ID.BE-5: Resilience requirements to support
delivery of critical services are established
IR-4a
IR-4b
IR-4c
IR-4e CIP-009-5 R1: Each Responsible Entity shall have one or more
documented recovery plans that collectively include each of the
applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan
Specifications.
1. Ensure identification of cyber assets, electronic access points, and data flows that facilitate delivery of
critical services that are supported by networks other than those subject to NERC CIP
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Establish an organization information security policyID.GV-1: Organizational information security
policy is established
RM-1a CPM-2g CPM-5d
RM-3e
Business Environment (BE): The organization’s
mission, objectives, stakeholders, and activities are
understood and prioritized; this information is used to
inform cybersecurity roles, responsibilities, and risk
management decisions.
Governance (GV): The policies, procedures, and
processes to manage and monitor the organization’s
regulatory, legal, risk, environmental, and operational
requirements are understood and inform the
management of cybersecurity risk.
IDENTIFY
(ID)
Page 4 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R2: Each Responsible Entity for its assets identified in
CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). (2.1) Cyber
security awareness; (2.2) Physical security controls; (2.3) Electronic
access controls for external routable protocol connections and Dial‐up
Connectivity; and (2.4) Incident response to a Cyber Security Incident.
1. Establish an organization information security policy
CIP-004-5.1 R1: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐004‐5.1 Table R1 – Security
Awareness Program. (1.1) Security awareness that, at least once
each calendar quarter, reinforces cyber security practices (which may
include associated physical security practices) for the Responsible
Entity’s personnel who have authorized electronic or authorized
unescorted physical access to BES Cyber Systems.
1. Ensure employees and third-parties are made aware of the organizational security policy
CIP-004-5.1 R3: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented personnel risk assessment programs to attain and
retain authorized electronic or authorized unescorted physical access
to BES Cyber Systems that collectively include each of the applicable
requirement parts in CIP‐004‐5.1 Table R3 – Personnel Risk
Assessment Program.
1. Ensure employees and third-parties are provided annual training on the contents of the organizational
security policy
CIP-003-5 R3: Each Responsible Entity shall identify a CIP Senior
Manager by name and document any change within 30 calendar days
of the change.
1. Develop a clear policy "line of sight" extending from the Board level down to the end user
2. Establish clear responsibilities both inside and outside the NERC cyber security program
CIP-003-5 R4: The Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, a documented
process to delegate authority, unless no delegations are used. Where
allowed by the CIP Standards, the CIP Senior Manager may delegate
authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the
delegate, the specific actions delegated, and the date of the
delegation; approved by the CIP Senior Manager; and updated within
30 days of any change to the delegation. Delegation changes do not
need to be reinstated with a change to the delegator.
1. Ensure that information security roles and responsibilities for BES Cyber systems are consistent and
compatible with the information security roles and responsibilties for other enterprise systems (e.g., IT or
physical security).
ID.GV-3: Legal and regulatory requirements
regarding cybersecurity, including privacy and
civil liberties obligations, are understood and
managed
CPM-2k
IR-3n
RM-3f
ACM-4f
IAM-3f
TVM-3f
SA-4f
ISC-2f
IR-5f
EDM-3f
WM-5f
1. Enhance cybersecurity training and awareness program by including content on the NERC ERO model,
and the NIST Cybersecurity Framework and any related regulatory frameworks.
ID.GV-4: Governance and risk management
processes address cybersecurity risks
RM-2a
RM-2b
RM-3b RM-2h
RM-3e
RM-1c
RM-1e
1. Where CIP version 5 has moved from a risk-based to a bright-line based approach to identifying in-
scope assets, organizations should focus on integrating their methodology with their enterprise risk-
management frameworks.
2. Additional cyber systems should be identified and protected based on their risk to the business or risk to
the reliability of the bulk electric system
ID.GV-2: Information security roles &
responsibilities are coordinated and aligned with
internal roles and external partners
WM-1a
WM-1b
WM-1c
WM-5b
ISC-2b
WM-1f
WM-1g
Page 5 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Policies for Interactive Remote Access should be established
2. Adherence to Interactive Remote Access policies should be measured as part of the vulnerability
assessment processes
CIP-003-5 R1 - 1.4: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: System security management (CIP‐007);
1. Policies for Systems Security Management should be established
2. Adherence to Systems Security Management policies should be measured as part of the vulnerability
assessment processes
CIP-003-5 R1 - 1.7: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Configuration change management and
vulnerability assessments (CIP‐010);
1. Policies for Change Management should be established
2. Adherence to Change Management policies should be measured as part of the vulnerability assessment
processes
CIP-003-5 R1 - 1.3: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Physical security of BES Cyber Systems
(CIP‐006);
1. Policies for Physical Access should be established
2. Adherence to Physical Access policies should be measured as part of the vulnerability assessment
processes
CIP-007-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
1. Security Patch Management should be established
2. Adherence to Security Patch Management practices should be measured as part of the vulnerability
assessment processes
3. Missing security patches should be compared to the documented mitigation plans
CIP-007-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
1. Ensure you are getting information from sources such as ICS CERT, ES ISAC, US CERT, relevant
vendor forums, and other applicable information sharing forums and sources.
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
1. Enhance the vulnerability assessment processes by inclusion of a threat management practice that can
be executed quickly in reaction to a threat (zero-day attack targeting BASH, for instance)
ID.RA-3: Threats, both internal and external, are
identified and documented
TVM-1a
TVM-1b
TVM-1d
TVM-1e
TVM-1f
RM-1c
RM-2j
TVM-1i
TVM-1j
CIP-007-5 R4 - 4.1: Log events at the BES Cyber System level (per
BES Cyber System capability) or at the Cyber Asset level (per Cyber
Asset capability) for identification of, and after-the-fact investigations
of, Cyber Security Incidents that includes,
as a minimum, each of the following types of events:
4.1.1. Detected successful login attempts;
4.1.2. Detected failed access attempts and failed login attempts;
4.1.3. Detected malicious code.
1. Enhance the threat management practice by implementing procedures to:
- modify logging levels in reaction to high-impact threat
- obtain signatures of known attacks and search your environment for matches
- perform vulnerability scans against test or standby systems whose configuration matches production
systems
- establish multi-tier response guidelines such that security events are researched more quickly under
higher threat levels
ID.RA-1: Asset vulnerabilities are identified and
documented
TVM-2a
TVM-2b
TVM-2c
TVM-2d
TVM-2e
TVM-2f
RM-1c
RM-2j
TVM-2i
TVM-2j
TVM-2k
TVM-2l
TVM-2m
ID.RA-2: Threat and vulnerability information is
received from information sharing forums and
sources
TVM-1a
TVM-1b
TVM-2a
TVM-2b
Risk Assessment (RA): The organization understands
the cybersecurity risk to organizational operations
(including mission, functions, image, or reputation),
organizational assets, and individuals.
Page 6 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
ID.RA-4: Potential business impacts and
likelihoods are identified
TVM-1d
TVM-1f
TVM-1i CIP-002-5.1 R1: Each Responsible Entity shall implement a process
that considers each of the following assets for purposes of parts 1.1
through 1.3: i. Control Centers and backup Control Centers; ii.
Transmission stations and substations; iii. Generation resources;
iv.Systems and facilities critical to system restoration, including
Blackstart Resources and Cranking Paths and initial switching
requirements; v.Special Protection Systems that support the reliable
operation of the Bulk Electric System; and vi.For Distribution
Providers, Protection Systems specified in Applicability section 4.2.1
above.
1. Where CIP version 5 has moved from a risk-based to a bright-line based approach to identifying in-
scope assets, organizations should focus on integrating their methodology with their enterprise risk-
management frameworks.
2. Additional cyber systems should be identified and protected based on their risk to the business or risk to
the reliability of the bulk electric system
CIP-007-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
1. Enhance patch mitigation plans by documenting impacts and business risk
2. Business risk can be informative for scheduling patch deployments and mitigation plans
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
1. Enhance vulnerability assessment processes by documenting potential impacts and business risk
2. Business risk can be informative for scheduling vulnerability assessment findings and mitigation plans
CIP-007-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
1. Business risk can be informative for scheduling patch deployments and mitigation plans
CIP-008-5 R1 - 1.1: Each Responsible Entity shall document one or
more Cyber Security Incident response plan(s) that collectively
include
1.1 One or more processes to identify, classify, and respond to Cyber
Security Incidents.
1. Business risk can be informative for developing prioritized incident response plans
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
1. Business risk can be informative for scheduling vulnerability assessment findings and mitigation plans
ID.RM-1: Risk management processes are
established, managed, and agreed to by
organizational stakeholders
RM-2a
RM-2b
RM-1a
RM-1b
RM-2c
RM-2d
RM-2e
RM-2f
RM-2g
RM-3a
RM-3b
RM-3c
RM-3d
RM-1c
RM-1d
RM-1e
RM-2h
RM-2i
RM-2j
RM-3e
RM-3f
RM-3g
RM-3h
RM-3i
1. Enterprise risk management practices should include risks associated with BES Cyber Systems, to
include what is unique about these systems as well as what makes them similar to other enterprise
information systems.
ID.RM-2: Organizational risk tolerance is
determined and clearly expressed
RM-1c
RM-1e
1. Risks should be assigned to business process owners who have the authority to effect change, mitigate,
or accept risk.
ID.RM-3: The organization’s determination of
risk tolerance is informed by their role in critical
infrastructure and sector specific risk analysis
RM-1b RM-1c 1. Business process owners who manage risks associated with BES Cyber Systems should be educated in
their responsibilities as a critical infrastructure custodian.
CIP-003-5 R1 - 1.1: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Personnel & training (CIP‐004)
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
2. Policies should include requirements for granting access only when background check and training
requirements are met
ID.RA-6: Risk responses are identified and
prioritized
RM-2e RM-1c
RM-2j
TVM-1i
TVM-2l
IR-3m
IR-4d
IR-4e
PR.AC-1: Identities and credentials are
managed for authorized devices and users
IAM-1a
IAM-1b
IAM-1c
IAM-1d
IAM-1e
IAM-1f
RM-1c
IAM-1g
ID.RA-5: Threats, vulnerabilities, likelihoods,
and impacts are used to determine risk
RM-1c
RM-2j
TVM-1i
TVM-2l
TVM-2m
Risk Management Strategy (RM): The organization’s
priorities, constraints, risk tolerances, and assumptions
are established and used to support operational risk
decisions.
Access Control (AC): Access to assets and associated
facilities is limited to authorized users, processes, or
devices, and to authorized activities and transactions.
Page 7 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.4: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: System security management (CIP‐007);
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
2. Policies should include requirements for management of system-level credentials
CIP-003-5 R2 - 2.3: Each Responsible Entity for its assets identified
in CIP-002-5, Requirement R1, Part R1.3 (ie: low impact), shall
implement, in a manner that identifies, assesses, and corrects
deficiencies, one or more documented cyber security policies that
collectively address the following topics, and review and obtain CIP
Senior Manager approval for those policies at least once every 15
calendar months: Electronic access controls for external routable
protocol connections and Dial-up Connectivity
1. Access control rules for asset and facility access should be clearly stated in an organizational policy with
a goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
2. Policies should include requirements for management of credentials related to secure dial-up
connections.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. A formal procedure or process should be defined for managing logical system access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. A formal procedure or process should be defined for revoking logical system access and shared account
access. The procedure or process should ensure that the triggering events (e.g.: termination, promotion,
job transfer) for access revocation are clearly stated and how those events are incorporated into access
revocation processes. This can be accomplished through a written procedure or documented workflow.
CIP-007-5 R5: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R5 – System Access Controls.
1. There should be a formal procedure or process for managing system access controls to protect systems
from unauthorized access. The procedure or process should define: (1) the use of authentication methods;
(2) management of default accounts provided by vendors and accounts shared by multiple people; (3)
management of all entity-defined accounts shared by multiple people, including generic, service, and
administrator accounts; (4) implementation of password requirements, including complexity and periodic
changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.
CIP-003-5 R1 - 1.1: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Personnel & training (CIP‐004)
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
2. Policies should include requirements for granting access only when background check and training
requirements are met.
CIP-003-5 R1 - 1.3: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Physical security of BES Cyber Systems
(CIP‐006);
1. Access control rules for physical access should be clearly stated in an organizational policy with a goal
to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to use". The access control policy should be periodically reviewed and
approved by an appropriate member of senior management.
CIP-003-5 R2 - 2.2: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: Physical
security controls;
1. Access control rules for physical access should be clearly stated in an organizational policy with a goal
to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to use". The access control policy should be periodically reviewed and
approved by an appropriate member of senior management.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. A formal procedure or process should be defined for managing physical access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. There should be a formal procedure or process for revoking physical access information access. The
procedure or process should ensure that the triggering events (e.g.: termination, promotion, job transfer)
for access revocation are clearly stated and how those events are incorporated into access revocation
processes. This can be accomplished through a written procedure or documented workflow.
PR.AC-2: Physical access to assets is managed
and protected
IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
Page 8 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-006-5 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented physical security plans that collectively include all of the
applicable requirement parts in CIP-006-5 Table R1 – Physical
Security Plan.
1. There should be a formal procedure or process for managing physical access controls to protect
systems from unauthorized access. The procedure or process should define: (1) the use of access control
mechanisms; (2) logging of entry and exit; (3) monitoring of physical premises; and (4) alerting on
unauthorized access.
CIP-006-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented visitor control programs that include each of the
applicable requirement parts in CIP-006-5 Table R2 – Visitor Control
Program.
1. There should be a formal procedure or process for managing visitors to premises. The procedure or
process should define: (1) logging of entry and exit; (2) continuous escort and supervision of visitors.
CIP-003-5 R1 - 1.1: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Personnel & training (CIP‐004)
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Access control rules for remote access should be clearly stated in an organizational policy with a goal to
protect systems from unauthorized access. The policy should address the granting, modification, removal,
and review of access permissions. The policy should establish the requirements for the use of "principle of
least privilege" or "need to use". The access control policy should be periodically reviewed and approved
by an appropriate member of senior management.
CIP-003-5 R2 - 2.3: Each Responsible Entity for its assets identified
in CIP-002-5, Requirement R1, Part R1.3 (ie: low impact), shall
implement, in a manner that identifies, assesses, and corrects
deficiencies, one or more documented cyber security policies that
collectively address the following topics, and review and obtain CIP
Senior Manager approval for those policies at least once every 15
calendar months: Electronic access controls for external routable
protocol connections and Dial-up Connectivity
1. Access control rules for remote access should be clearly stated in an organizational policy with a goal to
protect systems from unauthorized access. The policy should address the granting, modification, removal,
and review of access permissions. The policy should establish the requirements for the use of "principle of
least privilege" or "need to use". The access control policy should be periodically reviewed and approved
by an appropriate member of senior management.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. A formal procedure or process should be defined for managing remote access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. There should be a formal procedure or process for revoking physical access information access. The
procedure or process should ensure that the triggering events (e.g.: termination, promotion, job transfer)
for access revocation are clearly stated and how those events are incorporated into access revocation
processes. This can be accomplished through a written procedure or documented workflow.
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. There should be formal procedure or process to monitor and control dialup remote access to the
information system which requires the use of authentication.
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. There should be formal procedure or process to monitor and control all methods of remote access (e.g.,
VPN, Citrix) to the information system. Remote access should only be allowed through managed access
control points that do not allow direct access to protected assets. Encryption should be to protect the
confidentiality of remote access sessions. Multi-factor authentication should be used for all remote access
sessions.
CIP-003-5 R1 - 1.4: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: System security management (CIP‐007);
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
2. Policies should contain requirements for management of system-level credentials.
CIP-003-5 R1 - 1.8: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Information protection (CIP‐011);
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the granting, modification,
removal, and review of access permissions. The policy should establish the requirements for the use of
"principle of least privilege" or "need to know". The access control policy should be periodically reviewed
and approved by an appropriate member of senior management.
2. Policies should contain requirements for information access management, including information in hard-
copy formats, information in transit, and data at rest.
PR.AC-4: Access permissions are managed,
incorporating the principles of least privilege and
separation of duties
IAM-2d
PR.AC-3: Remote access is managed IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
Page 9 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. A formal procedure or process should be defined for managing logical system access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. There should be a formal procedure or process for managing system access controls to protect systems
from unauthorized access. The procedure or process should define: (1) the use of authentication methods;
(2) management of default accounts provided by vendors and accounts shared by multiple people; (3)
management of all entity-defined accounts shared by multiple people, including generic, service, and
administrator accounts; (4) implementation of password requirements, including complexity and periodic
changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.
CIP-007-5 R5: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R5 – System Access Controls.
1. There should be a formal procedure or process for managing system access controls to protect systems
from unauthorized access. The procedure or process should define: (1) the use of authentication methods;
(2) management of default accounts provided by vendors and accounts shared by multiple people; (3)
management of all entity-defined accounts shared by multiple people, including generic, service, and
administrator accounts; (4) implementation of password requirements, including complexity and periodic
changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts. The procedure or
process should demonstrate implementation of "principle of least privilege" or "need to know". This can be
accomplished through a written procedure or documented workflow.
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the restriction of access to
the network layer. This can be accomplished through network segmentation and network access controls.
2. Policies should contain requirements for network segmentation as it pertains to Interactive Remote
Access connections.
CIP-003-5 R1 - 1.8: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Information protection (CIP‐011);
1. Access control rules for logical system access should be clearly stated in an organizational policy with a
goal to protect systems from unauthorized access. The policy should address the restriction of access to
the network layer. This can be accomplished through network segmentation and network access controls.
2. Policies should contain requirements for information protection within, and between, the various network
security zones.
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. There should be formal procedures and processes to implement security zones separating protected
assets from other organizational networks and public networks. Monitoring of communications at the
network boundary should be implemented. Connection to protected assets should only be through
managed interfaces consisting of boundary protection devices arranged in accordance with an
organizational documented security architecture.
CIP-007-5 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R1 – Ports and Services.
1. There should be formal procedures and processes to manage and secure network accessible ports as
well as physical I/O ports in operation on an asset. This includes monitoring and documenting the status
and use of discovered ports.
PR.AT-1: All users are informed and trained CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Information protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policies should contain requirements for user training and security awareness.
PR.AT-1: All users are informed and trained CIP-003-5 R2 - 2.1: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Cyber security
awareness;
1. Policies should contain requirements for user training and security awareness.
PR.AC-5: Network integrity is protected,
incorporating network segregation where
appropriate
CPM-3a CPM-3b
CPM-3c
CPM-3d
WM-3a WM-3b
WM-3c
WM-3d
WM-3e
WM-3f
WM-3g
WM-3h
WM-3i
Awareness and Training (AT): The organization’s
personnel and partners are provided cybersecurity
awareness education and are adequately trained to
perform their information security-related duties and
responsibilities consistent with related policies,
procedures, and agreements.
Page 10 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
PR.AT-1: All users are informed and trained CIP-004-5.1 R1: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐004‐5.1 Table R1 – Security
Awareness Program. (1.1) Security awareness that, at least once
each calendar quarter, reinforces cyber security practices (which may
include associated physical security practices) for the Responsible
Entity’s personnel who have authorized electronic or authorized
unescorted physical access to BES Cyber Systems.
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
PR.AT-1: All users are informed and trained CIP-004-5.1 R2: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, a cyber
security training program(s) appropriate to individual roles, functions,
or responsibilities that collectively includes each of the applicable
requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training
Program.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policies should contain requirements for user training and security awareness.
CIP-003-5 R2 - 2.1: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Cyber security
awareness;
1. Policies should contain requirements for user training and security awareness.
CIP-004-5.1 R1: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐004‐5.1 Table R1 – Security
Awareness Program. (1.1) Security awareness that, at least once
each calendar quarter, reinforces cyber security practices (which may
include associated physical security practices) for the Responsible
Entity’s personnel who have authorized electronic or authorized
unescorted physical access to BES Cyber Systems.
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
CIP-004-5.1 R2: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, a cyber
security training program(s) appropriate to individual roles, functions,
or responsibilities that collectively includes each of the applicable
requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training
Program.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policies should contain requirements for user training and security awareness.PR.AT-3: Third-party stakeholders (e.g.,
suppliers, customers, partners) understand roles
& responsibilities
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
PR.AT-2: Privileged users understand roles &
responsibilities.
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
Page 11 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R2 - 2.1: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Cyber security
awareness;
1. Policies should contain requirements for user training and security awareness.
CIP-004-5.1 R1: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐004‐5.1 Table R1 – Security
Awareness Program. (1.1) Security awareness that, at least once
each calendar quarter, reinforces cyber security practices (which may
include associated physical security practices) for the Responsible
Entity’s personnel who have authorized electronic or authorized
unescorted physical access to BES Cyber Systems.
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
CIP-004-5.1 R2: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, a cyber
security training program(s) appropriate to individual roles, functions,
or responsibilities that collectively includes each of the applicable
requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training
Program.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policies should contain requirements for user training and security awareness.
CIP-003-5 R2 - 2.1: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Cyber security
awareness;
1. Policies should contain requirements for user training and security awareness.
CIP-003-5 R4: The Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, a documented
process to delegate authority, unless no delegations are used. Where
allowed by the CIP Standards, the CIP Senior Manager may delegate
authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the
delegate, the specific actions delegated, and the date of the
delegation; approved by the CIP Senior Manager; and updated within
30 days of any change to the delegation. Delegation changes do not
need to be reinstated with a change to the delegator.
1. CIP Senior Manager should be able to demonstrate that they understand their roles and responsibilties.
Consider an acknowledgement form.
CIP-004-5.1 R1: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐004‐5.1 Table R1 – Security
Awareness Program. (1.1) Security awareness that, at least once
each calendar quarter, reinforces cyber security practices (which may
include associated physical security practices) for the Responsible
Entity’s personnel who have authorized electronic or authorized
unescorted physical access to BES Cyber Systems.
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
PR.AT-4: Senior executives understand roles &
responsibilities
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
Page 12 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-004-5.1 R2: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, a cyber
security training program(s) appropriate to individual roles, functions,
or responsibilities that collectively includes each of the applicable
requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training
Program.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policies should contain requirements for user training and security awareness.
CIP-003-5 R2 - 2.1: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Cyber security
awareness;
1. Policies should contain requirements for user training and security awareness.
CIP-004-5.1 R1: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐004‐5.1 Table R1 – Security
Awareness Program. (1.1) Security awareness that, at least once
each calendar quarter, reinforces cyber security practices (which may
include associated physical security practices) for the Responsible
Entity’s personnel who have authorized electronic or authorized
unescorted physical access to BES Cyber Systems.
1. Implement a security awareness program that covers all assets, locations, and stakeholders.
CIP-004-5.1 R2: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, a cyber
security training program(s) appropriate to individual roles, functions,
or responsibilities that collectively includes each of the applicable
requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training
Program.
1. Implement a security training program that covers all assets, locations, and stakeholders.
CIP-006-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented visitor control programs that include each of the
applicable requirement parts in CIP-005-5 Table R2 - Visitor Control
Program)
1. Ensure physical security personnel are trained on the visitor control program and are given tools as
necessary to monitor and manage the program.
CIP-003-5 R1 - 1.8: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Information protection (CIP‐011);
1. Rules for identifying and protecting the confidentiality and integrity of information should be included in
the entity's official security policy. System-related information requiring protection includes items defined
as BES Protected Information.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. Access control rules for protection of the confidentiality and integrity of information at rest, or information
when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. Access control rules for protection of the confidentiality and integrity of information at rest, or information
when it is located on storage devices. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
PR.AT-5: Physical and information security
personnel understand roles & responsibilities
WM-1a
WM-1b
WM-1c
WM-1d
WM-1e
WM-1f
WM-1g
PR.DS-1: Data-at-rest is protected ACM-1b
TVM-1c
TVM-2c
CPM-3b ACM-1e
TVM-2i
TVM-2n
Data Security (DS): Information and records (data) are
managed consistent with the organization’s risk strategy
to protect the confidentiality, integrity, and availability of
information.
Page 13 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Monitoring, detection and prevention of malicious code should be implemented to protect information at
rest.
CIP-011-1 R1: Each Responsible Entity shall implement, in a Manner
that identifies, assesses, and corrects deficiencies, one or more
documented information protection program(s) that collectively
includes each of the applicable requirement parts in CIP‐011‐1 Table
R1 – Information Protection.
1. Formal procedures and processes should be implemented to identify and secure protected information
at rest and data in transit.
CIP-011-1 R2: Each Responsible Entity shall implement one or more
documented processes that collectively include the applicable
requirement parts in CIP‐011‐1 Table R2 – BES Cyber Asset Reuse
and Disposal.
1. Formal procedures and processes should be implemented to sanitize media containing protected
information prior to disposal, release out of organizational control, or release for reuse. Mechanisms should
sanitize information to the strength and integrity commensurate with the security category or classification
of the information.
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Rules for protection of the confidentiality and integrity of information transit while on the network or
when using remote access should be included in the entity's official security policy.
CIP-003-5 R1 - 1.8: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Information protection (CIP‐011);
1. Rules for identifying and protecting the confidentiality and integrity of information should be included in
the entity's official security policy. System-related information requiring protection includes items defined
as BES Protected Information.
CIP-003-5 R2 - 2.3: Each Responsible Entity for its assets identified
in CIP-002-5, Requirement R1, Part R1.3 (ie: low impact), shall
implement, in a manner that identifies, assesses, and corrects
deficiencies, one or more documented cyber security policies that
collectively address the following topics, and review and obtain CIP
Senior Manager approval for those policies at least once every 15
calendar months: Electronic access controls for external routable
protocol connections and Dial-up Connectivity
1. Rules for identifying and protecting the confidentiality and integrity of information should be included in
the entity's official security policy. System-related information requiring protection includes items defined
as BES Protected Information.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on the
network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on the
network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on the
network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
2. Access points to a higher security zone should include controls for protecting the data traversing those
boundaries.
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. There should be formal procedures and processes to implement secure remote access for the
transmission of protected information. Reference the definition of Interactive Remote Access.
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Monitoring, detection and prevention of malicious code should be implemented to protect information in
transit.
CIP-011-1 R1: Each Responsible Entity shall implement, in a Manner
that identifies, assesses, and corrects deficiencies, one or more
documented information protection program(s) that collectively
includes each of the applicable requirement parts in CIP‐011‐1 Table
R1 – Information Protection.
1. Formal procedures and processes should be implemented to identify and secure protected information
at rest and data in transit.
PR.DS-2: Data-in-transit is protected ACM-1b
TVM-1c
TVM-2c
CPM-3b ACM-1e
TVM-2i
TVM-2n
Page 14 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
PR.DS-3: Assets are formally managed
throughout removal, transfers, and disposition
ACM-1a
ACM-1b
ACM-2a
ACM-2b
ACM-3a
ACM-3b
ACM-1c
ACM-1d
ACM-2c
ACM-3c
ACM-3d
ACM-4a
ACM-4b
ACM-4c
ACM-4d
ACM-1e
ACM-1f
ACM-2d
ACM-2e
ACM-3e
ACM-3f
ACM-4e
ACM-4f
ACM-4g
ACM-4h
ACM-4i
CIP-011-1 R2: Each Responsible Entity shall implement one or more
documented processes that collectively include the applicable
requirement parts in CIP‐011‐1 Table R2 – BES Cyber Asset Reuse
and Disposal.
1. Formal procedures and processes should be implemented to sanitize media containing protected
information prior to disposal, release out of organizational control, or release for reuse. Mechanisms should
sanitize information to the strength and integrity commensurate with the security category or classification
of the information.
CIP-003-5 R1 - 1.6: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Recovery plans for BES Cyber Systems
(CIP‐009);
1. Contingency planning rules should be included in the organization's policy statements.
CIP-007-5 R4 - 4.3: Where technically feasible, retain applicable
event logs identified in Part 4.1 for at least the last 90 consecutive
calendar days except under CIP Exceptional Circumstances.
1. Where possible, ensure capacity monitoring is included in the organizations event log monitoring
program.
CIP-009-5 R1: Each Responsible Entity shall have one or more
documented recovery plans that collectively include each of the
applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan
Specifications.
1. Formal procedures and processes should be implemented for contingency planning as part of an overall
program for achieving business continuity. Contingency planning addresses both information system
restoration and implementation of alternative mission/business processes when systems are
compromised.
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐007‐5 Table R3 – Malicious
Code Prevention.
1. Formal procedures and processes should be implemented to protect against or limits the effects of
denial of service attacks. The management of excess capacity, bandwidth, or other redundancy to limit the
effects of information flooding denial of service attacks and counter flooding attacks.
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Rules for protection of the confidentiality and integrity of information from data leaks while on the
network or when using remote access should be included in the entity's official security policy.
CIP-003-5 R1 - 1.4: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: System security management (CIP‐007);
1. Rules for protection of the confidentiality and integrity of information from data leaks when it is located
on storage devices should be included in the entity's official security policy.
CIP-003-5 R1 - 1.8: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Information protection (CIP‐011);
1. Rules for identifying and protecting the confidentiality and integrity of information should be included in
the entity's official security policy. System-related information requiring protection includes items defined
as BES Protected Information.
CIP-003-5 R2 - 2.3: Each Responsible Entity for its assets identified
in CIP-002-5, Requirement R1, Part R1.3 (ie: low impact), shall
implement, in a manner that identifies, assesses, and corrects
deficiencies, one or more documented cyber security policies that
collectively address the following topics, and review and obtain CIP
Senior Manager approval for those policies at least once every 15
calendar months: Electronic access controls for external routable
protocol connections and Dial-up Connectivity
1. Rules for identifying and protecting the confidentiality and integrity of information should be included in
the entity's official security policy. System-related information requiring protection includes items defined
as BES Protected Information.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on the
network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
PR.DS-4: Adequate capacity to ensure
availability is maintained
TVM-1c
TVM-2c
CPM-3b TVM-2i
TVM-2n
PR.DS-5: Protections against data leaks are
implemented
TVM-1c
TVM-2c
CPM-3b TVM-2i
TVM-2n
PROTECT
(PR)
Page 15 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. Access control rules for protection of the confidentiality and integrity of information in transit while on the
network or when using remote access. Proper access controls (i.e.: provisioning, revocation) should be
used to restrict access to such information.
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. Formal procedures and processes should be implemented to ensure protected information is properly
segmented and enforces flow access controls. Flow access controls should be automatically enforced,
where possible.
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. Formal processes and procedures should be implemented to ensure that encrypted information does not
bypass system monitoring capabilities. This includes the proper configuration of encryption termination
points.
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Formal procedures and processes should be implemented to prevent, deter, detect, and mitigate
malicious code that has an intent of allowing data leak.
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐007‐5 Table R4 – Security
Event Monitoring.
1. Formal procedures and processes should be implemented to ensure monitoring of event to protect
information from data leaks.
CIP-007-5 R5: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R5 – System Access Controls.
1. Formal procedures and processes should be implemented to manage system access controls to prevent
data leaks through vulnerable person and system accounts.
CIP-011-1 R1: Each Responsible Entity shall implement, in a Manner
that identifies, assesses, and corrects deficiencies, one or more
documented information protection program(s) that collectively
includes each of the applicable requirement parts in CIP‐011‐1 Table
R1 – Information Protection.
1. The information protection program can consist of policy controls such as document markings, secure
handling procedures, secure destruction procedures - and technical controls such as access control,
encryption, or digital loss prevention.
CIP-011-1 R2: Each Responsible Entity shall implement one or more
documented processes that collectively include the applicable
requirement parts in CIP‐011‐1 Table R2 – BES Cyber Asset Reuse
and Disposal.
1. The information protection program can consist of policy controls such as document markings, secure
handling procedures, secure destruction procedures - and technical controls such as access control,
encryption, or digital loss prevention.
CIP-003-5 R1 - 1.7: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Configuration change management and
vulnerability assessments (CIP‐010);
1. Rules for the implementation of configuration managment of software, firmware, and information integrity
should be included in the entity's official security policy.
CIP-010-1 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R1 – Configuration Change
Management.
1. Formal processes and procedures should be implemented to document the approved configuration of
hardware, software, and firmware.
CIP-010-1 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring.
1. Formal processes and procedures should be implemented to monitor the approved configuration of
hardware, software, and firmware to detect any unauthorized changes.
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Rules for the implementation of segregation of production and test environemtns should be included in
the entity's official security policy.
PR.DS-7: The development and testing
environment(s) are separate from the production
environment
ACM-3c ACM-3e
PR.DS-6: Integrity checking mechanisms are
used to verify software, firmware, and
information integrity
ACM-3d
Page 16 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.7: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Configuration change management and
vulnerability assessments (CIP‐010);
1. Rules for the implementation and use of testing environments should be included in the entity's official
security policy.
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1. Formal procedures and processes should be implemented to properly segregate test and production
network environments.
CIP-010-1 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring.
1. Formal procedures and processes should be testing of changes to be applied to the production
environment. A designated, separate test environment should be used, where poissible.
CIP-010-1 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R1 – Configuration Change
Management.
1. Ensure baseline configurations are protected from possible compromise
CIP-010-1 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring.
1. Use monitoring tools to ensure integrity of baseline configurations when stored outside of a protected
security zone
PR.IP-2: A System Development Life Cycle to
manage systems is implemented
ACM-3d 1. A framework for SDLC can be included in an entity's Change Management and Configuration Monitoring
program
CIP-003-5 R1 - 1.4: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: System security management (CIP‐007);
1. Systems management policies should contain requirements for change control
CIP-003-5 R1 - 1.7: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Configuration change management and
vulnerability assessments (CIP‐010);
1. Change control policies should include broad requirements for what types of activities constitute a
change
CIP-010-1 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R1 – Configuration Change
Management.
1. Change control procedures should include specific requirements for what types of activities constitute a
change
CIP-010-1 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring.
1. Configuration monitoring procedures should include specific requirements for what types of changes
should be monitored & managed
PR.IP-1: A baseline configuration of information
technology/industrial control systems is created
and maintained
ACM-2a
ACM-2b
ACM-2c ACM-2d
ACM-2e
PR.IP-3: Configuration change control
processes are in place
ACM-3a
ACM-3b
ACM-3c
ACM-3d
ACM-3e
ACM-3f
Information Protection Processes and Procedures
(IP): Security policies (that address purpose, scope,
roles, responsibilities, management commitment, and
coordination among organizational entities), processes,
and procedures are maintained and used to manage
protection of information systems and assets.
Page 17 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-009-5 R1: Each Responsible Entity shall have one or more
documented recoery plans that collectively include each of the
applicable requirement parts in CIP-009-5 Table R1 - Recovery Plan
Specifications.
1. Recovery plans should specific business requirements for data retention and periodicity of backups
CIP-009-5 R3: Each Responsible Entity shall maintain each of its
recovery plans in accordance with each of the applicable requirement
parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and
Communication.
1. Recovery plans testing should be on a frequency commensurate with the importance of the asset
2. Recovery plans should be tested subsequent to any major change or upgrade to a system
PR.IP-5: Policy and regulations regarding the
physical operating environment for
organizational assets are met
RM-2b
IAM-2a
RM-3f
IAM-3f
CIP-003-5 R1 - 1.1 to 1.9: Each Responsible Entity, for its high impact
and medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: 1.1 Personnel & training (CIP‐004) 1.2
Electronic Security Perimeters (CIP005) including interactive Remote
Access, 1.3 Physical Security of BES Cyber Systems (CIP006), 1.4
System security management (CIP007), 1.5 Incident reporting and
response planning (CIP008), 1.6 Recovery plans for BES Cyber
Systems (CIP009), 1.7 Configuration change management and
vulnerability assessments (CIP010), 1.8 Informatiion protection
(CIP011) and 1.9 Declaring and responding to CIP Exceptional
Circumstances.
1. Policies should contain requirements for the physical operating environment of the cyber system,
including environmental (temperature, moisture, vibration, dust), power (redundant feeds, battery), and fire-
suppression. Policies should contain requirements for environmental monitoring of the physical operating
environment.
PR.IP-6: Data is destroyed according to policy ACM-3d CIP-011-1 R2: Each Responsible Entity shall implement one or more
documented processes that collectively include the applicable
requirement parts in CIP‐011‐1 Table R2 – BES Cyber Asset Reuse
and Disposal.
1. Implement a management control to test a sampling of retired systems to ensure data is no longer
accessible.
PR.IP-7: Protection processes are continuously
improved
TVM-1h CPM-1g CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R3– Vulnerability Assessments.
1. The stated goal of the entity's vulnerability assessment program should be the strengthening of security
controls through a process of regular review and assessment
2. Assessments should evaluate the current threat landscape and the ability of existing controls to mitigate
or eliminate the risk
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. Results of incident response tests should be communicated to key stakeholders, to include a frank
assessment of the effectiveness of the response actions and security controls.
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R3– Vulnerability Assessments.
1. Results of vulnerability assessments should be communicated to key stakeholders, to include a frank
assessment of the effectiveness of the security controls.
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should contain language addressing the management of the recovery plans
PR.IP-8: Effectiveness of protection
technologies is shared with appropriate parties
ISC-1a
ISC-1b
ISC-1c
ISC-1d
ISC-1e
ISC-1f
ISC-1g
ISC-2b
ISC-1h
ISC-1i
ISC-1j
ISC-1k
ISC-1l
PR.IP-9: Response plans (Incident Response
and Business Continuity) and recovery plans
(Incident Recovery and Disaster Recovery) are
in place and managed
IR-4c IR-3e
IR-3f
IR-4d
IR-4f
IR-5a
IR-5b
IR-5c
IR-5d
RM-1a
RM-1b
TVM-1d
IR-3k
IR-3m
IR-4i
IR-4j
IR-5e
IR-5f
IR-5g
IR-5h
IR-5i
RM-1c
PR.IP-4: Backups of information are conducted,
maintained, and tested periodically
IR-4a
IR-4b
IR-4c
IR-4f IR-4g
IR-4j
Page 18 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.6: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Recovery plans for BES Cyber Systems
(CIP‐009);
1. Policies should contain language addressing the management of the recovery plans
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should contain language addressing the management of the recovery plans
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Plans are in place and managed
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. Plans are in place and managed
CIP-009-5 R1: Each Responsible Entity shall have one or more
documented recovery plans that collectively include each of the
applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan
Specifications.
1. Plans are in place and managed
CIP-009-5 R3: Each Responsible Entity shall maintain each of its
recovery plans in accordance with each of the applicable requirement
parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and
Communication.
1. Plans are in place and managed
TVM-1d
Page 19 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Plans are implemented when required and tested regularly
CIP-009-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, its documented
recovery plan(s) to collectively include each of the applicable
requirement parts in CIP‐009‐5 Table R2 – Recovery Plan
Implementation and Testing.
1. Plans are implemented when required and tested regularly
CIP-004-5.1 R3: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented personnel risk assessment programs to attain and
retain authorized electronic or authorized unescorted physical access
to BES Cyber Systems that collectively include each of the applicable
requirement parts in CIP‐004‐5.1 Table R3 – Personnel Risk
Assessment Program.
1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 - Access Management Program.
1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
CIP-007-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
1. Develop a holistic vulnerability management plan that includes patch management, malicious software
prevention, and regular vulnerability assessments - including scanning where feasible
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Develop a holistic vulnerability management plan that includes patch management, malicious software
prevention, and regular vulnerability assessments - including scanning where feasible
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
1. Develop a holistic vulnerability management plan that includes patch management, malicious software
prevention, and regular vulnerability assessments - including scanning where feasible
CIP-010-1 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R1 – Configuration Change
Management.
1. Maintenance practices should be addressed in, and follow, the organizations change control practices
CIP-006-5 R3: Each Responsible Entity shall implement one or more
documented Physical Access Control System maintenance and
testing programs that collectively include each of the applicable
requirement parts in CIP-006-5 Table R3 – Maintenance and Testing
Program.
1. Like in CIP-006-5 R3, entities should consider a formal process for maintaining and testing the
mechanisms used for electronic access control. This should include the testing of the changes prior to
implementation.
PR.IP-12: A vulnerability management plan is
developed and implemented
TVM-2d
TVM-2e
TVM-3e
TVM-3f
PR.MA-1: Maintenance and repair of
organizational assets is performed and logged in
a timely manner, with approved and controlled
tools
IAM-2a ACM-1c AMC-3f
PR.IP-10: Response and recovery plans are
tested
IR-3e
IR-4f
IR-3k
IR-4i
IR-4j
PR.IP-11: Cybersecurity is included in human
resources practices (e.g., deprovisioning,
personnel screening)
WM-2a
WM-2b
WM-2c
WM-2d
WM-2e
WM-2f
WM-2g
WM-2h
Maintenance (MA): Maintenance and repairs of
industrial control and information system components is
performed consistent with policies and procedures.
Page 20 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. Formal processes and procedures should be implemented to manage the use of remote access for
performing maintenance functions in accordance with the configuration management program or process.
CIP-006-5 R3: Each Responsible Entity shall implement one or more
documented Physical Access Control System maintenance and
testing programs that collectively include each of the applicable
requirement parts in CIP-006-5 Table R3 – Maintenance and Testing
Program.
1. Like in CIP-006-5 R3, entities should consider a formal process for maintaining and testing the
mechanisms used for electronic access control. This should include the testing of the changes prior to
implementation.
CIP-010-1 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R1 – Configuration Change
Management.
1. Maintenance practices should be addressed in, and follow, the organizations change control practices
CIP-006-5 R1 - 1.6: Monitor each Physical Access Control
System for unauthorized physical access to a Physical Access
Control System.
1. Formal processes and procedures should be implemented to monitor for unauthorized access.
CIP-006-5 R1 - 1.8: Log (through automated means or by
personnel who control entry) entry of each individual with authorized
unescorted physical access into each Physical Security Perimeter,
with information to identify the individual and date and time of entry.
1. Formal processes and procedures should be implemented to log successful and unsuccessful access
attempts.
CIP-006-5 R1 - 1.9: Retain physical access logs of entry of
individuals with authorized unescorted physical access into each
Physical Security Perimeter for at least ninety calendar days.
1. Formal processes and procedures should be implemented to retain audit logs.
CIP-006-5 R2 - 2.2: Require manual or automated logging
of visitor entry into and exit from the Physical Security Perimeter that
includes date and time of the initial entry and last exit, the visitor’s
name, and the name of an individual point of contact responsible for
the visitor, except during CIP Exceptional Circumstances.
1. Formal processes and procedures should be implemented to log successful and unsuccessful access
attempts.
CIP-006-5 R1 - 2.3: Retain visitor logs for at least ninety
calendar days.
1. Formal processes and procedures should be implemented to retain audit logs.
CIP-007-5 R4 - 4.3: Where technically feasible, retain applicable
event logs identified in Part 4.1 for at least the last 90 consecutive
calendar days except under CIP Exceptional Circumstances.
1. Formal processes and procedures should be implemented to retain audit logs.
CIP-007-5 R4 - 4.4: Review a summarization or sampling of logged
events as determined by the Responsible Entity at intervals no
greater than 15 calendar days to identify undetected Cyber Security
Incidents.
1. Formal processes and procedures should be implemented to ensure receipt of required audit logs and
identify failures of logging capabilities.
PR.PT-2: Removable media is protected and its
use restricted according to policy
IAM-2a
IAM-2b
IAM-1c
IAM-2c IAM-2e
IAM-3f
IAM-1i
1. This requirement will be addressed in CIP version 6
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. A formal procedure or process should be defined for managing logical system access. The procedure or
process should encompass: (1) granting of access (including training and background checks), and (2)
periodic review of access permissions (including review and update of training and background checks).
The procedure or process should demonstrate implementation of "principle of least privilege" or "need to
know". This can be accomplished through a written procedure or documented workflow.
CIP-004-5.1 R5: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access revocation programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R5 – Access Revocation.
1. A formal procedure or process should be defined for revoking logical system access and shared account
access. The procedure or process should ensure that the triggering events (e.g.: termination, promotion,
job transfer) for access revocation are clearly stated and how those events are incorporated into access
revocation processes. This can be accomplished through a written procedure or documented workflow.
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. There should be formal procedure or process to monitor and control remote access.
PR.PT-3: Access to systems and assets is
controlled, incorporating the principle of least
functionality
IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
IAM-2h
IAM-2i
PR.MA-2: Remote maintenance of
organizational assets is approved, logged, and
performed in a manner that prevents
unauthorized access
SA-1a
IR-1c
IAM-2a
IAM-2b
IAM-2c
IAM-2d
IAM-2e
IAM-2f
IAM-2g
IAM-2h
IAM-2i
PR.PT-1: Audit/log records are determined,
documented, implemented, and reviewed in
accordance with policy
SA-1a
SA-2a
SA-1b
SA-1c
SA-2e
SA-4a
SA-1d
SA-1e
SA-3d
SA-4e
Protective Technology (PT): Technical security
solutions are managed to ensure the security and
resilience of systems and assets, consistent with related
policies, procedures, and agreements.
Page 21 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-007-5 R5: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R5 – System Access Controls.
1. There should be a formal procedure or process for managing system access controls to protect systems
from unauthorized access. The procedure or process should define: (1) the use of authentication methods;
(2) management of default accounts provided by vendors and accounts shared by multiple people; (3)
management of all entity-defined accounts shared by multiple people, including generic, service, and
administrator accounts; (4) implementation of password requirements, including complexity and periodic
changes; and (5) limiting and alerting on unsuccessful login attempts for all accounts.
CIP-004-5.1 R4: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented access management programs that collectively
include each of the applicable requirement parts in CIP‐004‐5.1 Table
R4 – Access Management Program.
1. Rules for the implementation of access control to communications and control network protections
should be included in the entity's official security policy.
CIP-005-5 R1: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-005-5 Table R1 – Electronic Security
Perimeter.
1.There should be formal procedure or process to secure communications and control networks.
CIP-005-5 R2: Each Responsible Entity allowing Interactive Remote
Access to BES Cyber Systems shall implement one or more
documented processes that collectively include the applicable
requirement parts, where technically feasible, in CIP-005-5 Table R2
– Interactive Remote Access Management.
1. There should be formal procedure or process to secure communications and control networks using
remote access.
DE.AE-1: A baseline of network operations and
expected data flows for users and systems is
established and managed
SA-2b SA-2e 1. Baseline network monitoring practices can be integrated within the entity's CIP-005-5 R1.5 Malicious
Communications program, CIP-007-5 R3 Malicious Code Prevention program, and/or CIP-010-1 R2
Change Monitoring program.
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Security policy must include intrusion detection and a process for analzying detected events including
target and attack methodology.
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Monitoring tools and log sources should be configured to collect event data at a level of granularity
necessary to effectively analyze the event.
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Response plans should include processes for detailed analysis of the event, and a feedback loop to
ensure the same event will be more effectively detected or prevented in the future.
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Response plans should include processes for detailed analysis of the event, and a feedback loop to
ensure the same event will be more effectively detected or prevented in the future.
DE.AE-3: Event data are aggregated and
correlated from multiple sources and sensors
IR-1e IR-1f
IR-2i
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Select and implement security event logging and monitoring tools that can analyze events from multiple
sources and are capable of alerting based on correlated events
DE.AE-4: Impact of events is determined IR-2b IR-2d IR-2g CIP-008-5 R1 - 1.1: Each Responsible Entity shall document one or
more Cyber Security Incident response plan(s) that collectively
include
1.1 One or more processes to identify, classify, and respond to Cyber
Security Incidents.
1. Must have a procedure for classifying, e.g., analyzing impact, of events.
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should address thresholds for invoking the response plans
PR.PT-4: Communications and control networks
are protected
CPM-3a CPM-3b
CPM-3c
CPM-3d
DE.AE-2: Detected events are analyzed to
understand attack targets and methods
IR-2i
IR-3h
DE.AE-5: Incident alert thresholds are
established
IR-2d
TVM-1d
SA-2d
IR-2g
RM-2j
Anomalies and Events (AE): Anomalous activity is
detected in a timely manner and the potential impact of
events is understood.
Page 22 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should address thresholds for invoking the response plans
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Response to incidents should be triggered based on thresholds established with the plan and per the
entity's policies
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Response to incidents should be triggered based on thresholds established with the plan and per the
entity's policies
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. Response to incidents should be triggered based on thresholds established with the plan and per the
entity's policies
2. When performing an after-incident review, ensure thresholds were appropriate
DE.CM-1: The network is monitored to detect
potential cybersecurity events
SA-2a
SA-2b
SA-2e
SA-2f
SA-2g
SA-2i
CIP-005-5 R1 - 1.5: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐005‐5 Table R1 – Electronic
Security Perimeter. Have one or more methods for
detecting known or suspected malicious communications for both
inbound and outbound communications.
1. Monitoring of network access points is specified in CIP-005-5 R1.5
2. Monitoring can be enhanced by including analysis of traffic within the security perimeter
CIP-006-5 R1: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented physical security plans that collectively include all of the
applicable requirement parts in CIP-006-5 Table R1 – Physical
Security Plan.
1. Plan should specify technical and procedural controls for monitoring the physical environment
CIP-006-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented visitor control programs that include each of the
applicable requirement parts in CIP-006-5 Table R2 – Visitor Control
Program.
1. Program should specify monitoring of visitors within a secure perimeter (human and/or electronic
monitoring)
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Policies should make clear that end-user activities will be monitored
CIP-003-5 R1 - 1.4: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: System security management (CIP‐007);
1. Policies should make clear that end-user activities will be monitored
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Monitoring tools should be capable of detecting interactive (personnel) activities separate from non-
interactive (machine to machine) activities
CIP-007-5 R5: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R5 – System Access Controls.
1. Access controls should configured to properly log events related to personnel usage activities
DE.CM-2: The physical environment is
monitored to detect potential cybersecurity
events
SA-2a
SA-2b
SA-2i
DE.CM-3: Personnel activity is monitored to
detect potential cybersecurity events
SA-2a
SA-2b
SA-2i
Security Continuous Monitoring (CM): The
information system and assets are monitored at discrete
intervals to identify cybersecurity events and verify the
effectiveness of protective measures.
Page 23 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.2: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Electronic Security Perimeters (CIP‐005)
including Interactive Remote Access;
1. Policies should contain requirements for malware controls for any device initiating an interactive remote
access session
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Processes should include criteria and thresholds for invoking incident response plans for detected
malicious code
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Processes should include criteria and thresholds for invoking incident response plans for detected
malicious code
CIP-010-1 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP‐010‐1 Table R2 – Configuration Monitoring.
1. Configuration monitoring procedures can be enhanced to include active monitoring of mobile device
code, for any such assets that are in scope for NERC CIP including devices used for maintenance and
testing
DE.CM-6: External service provider activity is
monitored to detect potential cybersecurity
events
EDM-2a
SA-2a
SA-2b
EDM-2j
EDM-2l
EDM-2n
CIP-005-5 R1 - 1.5: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐005‐5 Table R1 – Electronic
Security Perimeter. Have one or more methods for
detecting known or suspected malicious communications for both
inbound and outbound communications.
1. Electronic perimeter monitoring should include technical or procedural controls to detect potential
cybersecurity events sourced from an external service provider
CIP-003-5 R2 - 2.3: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Electronic
access controls for external routable protocol connections and Dial‐up
Connectivity;
1. Policies should contain requirements for authorization of access
2. Personnel should be made aware that the entity is monitoring for unauthorized access
CIP-004-5.1 R3: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented personnel risk assessment programs to attain and
retain authorized electronic or authorized unescorted physical access
to BES Cyber Systems that collectively include each of the applicable
requirement parts in CIP‐004‐5.1 Table R3 – Personnel Risk
Assessment Program.
1. Personnel authorized to attain or retain authorized access to electronic or unescorted physical access to
BES cyber systems shall have a process identified to authenticate the individual and perform appropriate
background checks.
2. Personnel risk management program should stipulate consequences for violating policies related to
access management
CIP-006-5 R1 - 1.5: Issue an alarm or alert in response to detected
unauthorized access through a physical access point into a Physical
Security Perimeter to the personnel identified in the BES Cyber
Security Incident response plan within 15 minutes of detection.
1. Monitor for unauthorized personnel
CIP-006-5 R1 - 1.6: Monitor each Physical Access Control
System for unauthorized physical access to a Physical Access
Control System.
1. Monitor for unauthorized personnel
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Monitor for unauthorized access to a protected device
2. Monitor for unauthorized remote access to a protected network
3. Monitor for unauthorized devices within a protected network
4. Monitor for unauthorized software in conjunction with CIP-010-1 R2
DE.CM-7: Monitoring for unauthorized
personnel, connections, devices, and software is
performed
SA-2a
SA-2b
SA-2e
SA-2f
SA-2g
SA-2i
DE.CM-4: Malicious code is detected SA-2a
SA-2b
SA-2e
CPM-4a
SA-2i
DE.CM-5: Unauthorized mobile code is detected SA-2a
SA-2b
SA-2e SA-2h
SA-2i
DETECT
(DE)
Page 24 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.7: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Configuration change management and
vulnerability assessments (CIP‐010);
1. Policies should make clear the stakeholders expectations of the vulnerability assessment program
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Where malicious code prevention processes utilize signature-based protections, ensure scans are
performed subsequent to any update to those signatures
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
1. If active assessment of a production environment is performed it should be done in a way that minimizes
the potential of adverse consequences. New cyber assets should be actively tested prior to deployment in
a production system.
CIP-003-5 R1 - 1.1: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Personnel & training (CIP‐004)
1. Roles and responsibilities of personnel as it relates to detected security events should be defined as well
as training programs necessary to disseminate the required information.
CIP-003-5 R3: Each Responsible Entity shall identify a CIP Senior
Manager by name and document any change within 30 calendar days
of the change.
1. Role of the CIP Senior Manager in security event detection or response should be documented where
appropriate
CIP-003-5 R4: The Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, a documented
process to delegate authority, unless no delegations are used. Where
allowed by the CIP Standards, the CIP Senior Manager may delegate
authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the
delegate, the specific actions delegated, and the date of the
delegation; approved by the CIP Senior Manager; and updated within
30 days of any change to the delegation. Delegation changes do not
need to be reinstated with a change to the delegator.
1. Roles of any delegates specified by the CIP Senior Manager related to security event detection or
response should be documented
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Response actions for detected malicious code should include clear and pre-defined roles and
responsibilities
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Response actions for detected malicious code should include clear and pre-defined roles and
responsibilities
DE.DP-2: Detection activities comply with all
applicable requirements
IR-1d IR-1g
IR-5f
RM-1c
RM-2j
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. When preparing after-action reports for a security event, ensure processes include a review of
responses against applicable company policies and external regulations
DE.CM-8: Vulnerability scans are performed TVM-2e TVM-2i
DE.DP-1: Roles and responsibilities for
detection are well defined to ensure
accountability
IR-1a
IR-3a
WM-1a
WM-1b
WM-1d WM-1f
WM-1h
Detection Processes (DP): Detection Processes (DP):
Detection processes and procedures are maintained
and tested to ensure timely and adequate awareness of
anomalous events.
Page 25 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-004-5.1 R2 - 2.1: Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects deficiencies, a cyber
security training program(s) appropriate to individual roles, functions,
or responsibilities that collectively includes each of the applicable
requirement parts in CIP‐004‐5.1 Table R2 – Cyber Security Training
Program. Training content on:
2.1.1. Cyber security policies;
2.1.2. Physical access controls;
2.1.3. Electronic access controls;
2.1.4. The visitor control program;
2.1.5. Handling of BES Cyber System Information and its storage;
2.1.6. Identification of a Cyber Security Incident and initial
notifications in accordance with the entity’s incident response plan;
2.1.7. Recovery plans for BES Cyber Systems;
2.1.8. Response to Cyber Security Incidents; and
2.1.9. Cyber security risks associated with a BES Cyber System’s
electronic interconnectivity and interoperability with other Cyber
Assets.
1. Staff can be effectively trained on security event response by testing detection technologies and
observing the response. For instance, regularly submit an EICAR file to a non-production cyber asset to
test the malware detection/prevention system.
CIP-006-5 R3: Each Responsible Entity shall implement one or more
documented Physical Access Control System maintenance and
testing programs that collectively include each of the applicable
requirement parts in CIP-006-5 Table R3 – Maintenance and Testing
Program.
1. Physical access controls are routinely tested
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Detection tools can be tested during incident response drills
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should contain language addressing the notification of stakeholders of an event that meets
documented thresholds
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Event summaries should be communicated to key stakeholders, to include a frank assessment of the
effectiveness of the response actions and security controls.
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Event summaries should be communicated to key stakeholders, to include a frank assessment of the
effectiveness of the response actions and security controls.
DE.DP-5: Detection processes are continuously
improved
IR-3h IR-3k CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. The stated goal of the incident response testing program should be the strengthening of security controls
through a process of regular review and assessment
2. Incident tests should be structured to emulate the current threat landscape and the assess the ability of
existing controls to mitigate or eliminate the risk
Response Planning (RP): Response processes and
procedures are executed and maintained, to ensure
timely response to detected cybersecurity events.
RS.RP-1: Response plan is executed during or
after an event
IR-3d CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Response plan is executed during or after an event
CIP-004-5.1 R2 - Part 2.1.8: Each Responsible Entity shall
implement, in a manner that identifies, assesses, and corrects
deficiencies, a cyber security training program(s) appropriate to
individual roles, functions, or responsibilities that collectively includes
each of the applicable requirement parts in CIP-004-5.1 Table R2 –
Cyber Security Training Program. 2.1.8. Training content on:
Response to Cyber Security Incidents;
1. Goal of the training should be that personnel know their roles and order of operations when a response
is needed
DE.DP-4: Event detection information is
communicated to appropriate parties
IR-1b
IR-3c
ISC-1a
ISC-1c
ISC-1d
IR-3n
ISC-1h
RS.CO-1: Personnel know their roles and order
of operations when a response is needed
IR-3a IR-5a
IR-5b
DE.DP-3: Detection processes are tested IR-3e IR-3j
Communications (CO): Response activities are
coordinated with internal and external stakeholders, as
appropriate, to include external support from law
enforcement agencies.
Page 26 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Roles and responsibilities of personnel as it relates to incident response should be defined within each
plan
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. After-action tasks should include an analysis of the effectiveness and accuracy of the documented roles
and responsibilities
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies can be used to document management's expectations for incident reporting
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies can be used to document management's expectations for incident reporting
CIP-005-5 R1 - 1.5: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐005‐5 Table R1 – Electronic
Security Perimeter. Have one or more methods for
detecting known or suspected malicious communications for both
inbound and outbound communications.
1. Reporting reporting criteria should address events detected at electronic access points
CIP-006-5 R1 - 1.5: Issue an alarm or alert in response to detected
unauthorized access through a physical access point into a Physical
Security Perimeter to the personnel identified in the BES Cyber
Security Incident response plan within 15 minutes of detection.
1. Reporting reporting criteria should address events detected at physical access points
CIP-006-5 R1 - 1.7: Issue an alarm or alert in response to
detected unauthorized physical access to a Physical Access Control
System to the personnel identified in the BES Cyber Security Incident
response plan within 15 minutes of the detection.
1. Reporting reporting criteria should address events detected at physical access points
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Reporting reporting criteria should address events detected by monitoring tools
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Procedures for event reporting should be specified within each response plan
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Procedures for event reporting should be followed
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. After-action tasks should include an analysis of the effectiveness and accuracy of reporting
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Procedures for event reporting should be specified within each response plan
RS.CO-2: Events are reported consistent with
established criteria
IR-1a
IR-1b
RS.CO-3: Information is shared consistent with
response plans
ISC-1a
ISC-1b
IR-3d
ISC-1c
ISC-1d
Page 27 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Procedures for event reporting should be followed
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies can be used to document management's expectations for incident reporting and coordination
with stakeholders
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Procedures for event reporting should be specified within each response plan
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Procedures for event reporting should be followed
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies can be used to document management's expectations for incident reporting and coordination
with stakeholders
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies can be used to document management's expectations for incident reporting and coordination
with stakeholders
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Procedures for information sharing should be specified within each response plan
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Procedures for information sharing should be followed
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should include language that communicates management's expectations for responding to
alerts from detection systems
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should include language that communicates management's expectations for responding to
alerts from detection systems
RS.CO-4: Coordination with stakeholders
occurs consistent with response plans
IR-3d
IR-5b
RS.CO-5: Voluntary information sharing occurs
with external stakeholders to achieve broader
cybersecurity situational awareness
ISC-1a
ISC-1b
IR-3c
ISC-1c
ISC-1d
ISC-1e
ISC-1f
ISC-1h
ISC-1i
ISC-1j
ISC-1k
ISC-1l
RS.AN-1: Notifications from detection systems
are investigated
IR-1e
SA-3a
IR-1f
IR-1h
Analysis (AN): Analysis is conducted to ensure
adequate response and support recovery activities.
Page 28 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-006-5 R1 - 1.5: Issue an alarm or alert in response to detected
unauthorized access through a physical access point into a Physical
Security Perimeter to the personnel identified in the BES Cyber
Security Incident response plan within 15 minutes of detection.
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
CIP-006-5 R1 - 1.7: Issue an alarm or alert in response to
detected unauthorized physical access to a Physical Access Control
System to the personnel identified in the BES Cyber Security Incident
response plan within 15 minutes of the detection.
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Procedures should include language that supports management's expectations for responding to alerts
from detection systems
RS.AN-2: The impact of the incident is
understood
IR-2d
IR-2g
IR-2d
TVM-1d
IR-2g
RM-2j
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. When implementing an incident response plan, response personnel should take deliberate actions only
when the impact of the incident and their actions are understood
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policy should establish criteria for when and how forensic data is collected, handled, and analyzed
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Procedures should include steps for how forensic data is collected, handled, and analyzed
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Forensics activities are performed when specified in the response plans
CIP-009-5 R1 - 1.5: One or more processes to preserve data, per
Cyber Asset capability, for determining the cause of a Cyber Security
Incident that triggers activation of the recovery plan(s). Data
preservation should not impede or restrict recovery.
1. Forensics activities are performed when specified in the response plans
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policy should establish a classification model for security events
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policy should establish a classification model for security events
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Procedures should follow an established classification model to ensure that security events can be
responded to quickly based on general characteristics
RS.AN-4: Incidents are categorized consistent
with response plans
IR-2a IR-1d
IR-1e
IR-2d
TVM-1d
IR-2g
RM-1c
RS.AN-3: Forensics are performed IR-3d IR-3i
RESPOND
(RS)
Page 29 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Procedures should follow an established classification model to ensure that security events can be
responded to quickly based on general characteristics
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-003-5 R1 - 1.9: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Declaring and responding to CIP
Exceptional Circumstances.
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-005-5 R1 - 1.5: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐005‐5 Table R1 – Electronic
Security Perimeter. Have one or more methods for
detecting known or suspected malicious communications for both
inbound and outbound communications.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at electronic access points
CIP-006-5 R1 - 1.5: Issue an alarm or alert in response to detected
unauthorized access through a physical access point into a Physical
Security Perimeter to the personnel identified in the BES Cyber
Security Incident response plan within 15 minutes of detection.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at physical access points
CIP-006-5 R1 - 1.7: Issue an alarm or alert in response to
detected unauthorized physical access to a Physical Access Control
System to the personnel identified in the BES Cyber Security Incident
response plan within 15 minutes of the detection.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at physical access points
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by malicious code prevention systems
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by event monitoring systems
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Incident response procedures should specify a model of containment, eradication, and recovery
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should specify a model of containment, eradication, and recovery for security incidents
RS.MI-1: Incidents are contained IR-3b
RS.MI-2: Incidents are mitigated IR-3b
Mitigation (MI): Activities are performed to prevent
expansion of an event, mitigate its effects, and eradicate
the incident.
Page 30 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.9: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Declaring and responding to CIP
Exceptional Circumstances.
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should specify a model of containment, eradication, and recovery for security incidents
CIP-005-5 R1 - 1.5: Each Responsible Entity shall implement one or
more documented processes that collectively include each of the
applicable requirement parts in CIP‐005‐5 Table R1 – Electronic
Security Perimeter. Have one or more methods for
detecting known or suspected malicious communications for both
inbound and outbound communications.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at electronic access points
CIP-006-5 R1 - 1.5: Issue an alarm or alert in response to detected
unauthorized access through a physical access point into a Physical
Security Perimeter to the personnel identified in the BES Cyber
Security Incident response plan within 15 minutes of detection.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at physical access points
CIP-006-5 R1 - 1.7: Issue an alarm or alert in response to
detected unauthorized physical access to a Physical Access Control
System to the personnel identified in the BES Cyber Security Incident
response plan within 15 minutes of the detection.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected at physical access points
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by malicious code prevention systems
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Procedures should specify a model of containment, eradication, and recovery for security incidents for
events detected by event monitoring systems
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Incident response procedures should specify a model of containment, eradication, and recovery
CIP-003-5 R1 - 1.7: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Configuration change management and
vulnerability assessments (CIP‐010);
1. Policies should contain language that communicates management's requirements for addressing newly
identified vulnerabilities
CIP-007-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
1. Patch management plans should include procedures for addressing zero-day or imminent threat
vulnerabilities
CIP-007-5 R3: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R3 – Malicious Code
Prevention.
1. Malicious code prevention plans should include procedures for addressing zero-day or imminent threat
vulnerabilities
RS.MI-3: Newly identified vulnerabilities are
mitigated or documented as accepted risks
TVM-2c TVM-2f
TVM-2g
RM-2j
TVM-2m
TVM-2n
Page 31 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-010-1 R3: Each Responsible Entity shall implement one or more
documented processes that collectively include each of the applicable
requirement parts in CIP ‐ 010 ‐ 1 Table R3– Vulnerability
Assessments.
1. Vulnerability management plans should include procedures for notification of and response to zero-day
or imminent threat vulnerabilities
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should contain language that communicates management's requirements for strengthening
response plans by incorporating findings from lessons-learned analysis
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should contain language that communicates management's requirements for strengthening
response plans by incorporating findings from lessons-learned analysis
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Response plans should be written to include references to lessons-learned or procedural enhancements
that were the result of a prior incident
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. During after-action analysis of an actual or simulated incident, carefully document each each action, or
lack of action, and the results. Address each action or lack of action with a critical analysis, and provide
recommendations for improvement
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Policies should contain language that communicates management's requirements for reviewing and
updating incident response plans
CIP-003-5 R2 - 2.4: Each Responsible Entity for its assets identified
in CIP‐002‐5, Requirement R1, Part R1.3, shall implement, in a
manner that identifies, assesses, and corrects deficiencies, one or
more documented cyber security policies that collectively address the
following topics, and review and obtain CIP Senior Manager approval
for those policies at least once every 15 calendar months: (An
inventory, list, or discrete identification of low impact BES Cyber
Systems or their BES Cyber Assets is not required). Incident
response to a Cyber Security Incident.
1. Policies should contain language that communicates management's requirements for reviewing and
updating incident response plans
CIP-008-5 R1: Each Responsible Entity shall document one or more
Cyber Security Incident response plan(s) that collectively include each
of the applicable requirement parts in CIP‐008‐5 Table R1 – Cyber
Security Incident Response Plan Specifications.
1. Plans should be reviewed and updated according to the periodicity specified in the policy
CIP-008-5 R2: Each Responsible Entity shall implement each of its
documented Cyber Security Incident response plans to collectively
include each of the applicable requirement parts in CIP‐008‐5 Table
R2 – Cyber Security Incident Response Plan Implementation and
Testing.
1. Version numbers should be clear, and incident responders should communicate to ensure staff is using
the in-force version at time of an incident
CIP-008-5 R3: Each Responsible Entity shall maintain each of its
Cyber Security Incident response plans according to each of the
applicable requirement parts in CIP‐008‐5 Table R3 – Cyber Security
Incident Response Plan Review, Update, and Communication.
1. Plans should be reviewed and updated according to the periodicity specified in the policy
CIP-003-5 R1 - 1.5: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Incident reporting and response planning
(CIP‐008);
1. Define expectations and roles and responsibilities within the security policy. Include contingencies and
management practices where policy provisions can be suspended and tracked in response to emergency
events.
RS.IM-1: Response plans incorporate lessons
learned
IR-3h
RS.IM-2: Response strategies are updated IR-3e IR-3k
RC.RP-1: Recovery plan is executed during or
after an event
IR-3b IR-3o
IR-4k
Improvements (IM): Organizational response activities
are improved by incorporating lessons learned from
current and previous detection/response activities.
Recovery Planning (RP): Recovery processes and
procedures are executed and maintained to ensure
timely restoration of systems or assets affected by
cybersecurity events.
Page 32 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-003-5 R1 - 1.6: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Recovery plans for BES Cyber Systems
(CIP‐009);
1. Define expectations and roles and responsibilities within the security policy. Include contingencies and
management practices where policy provisions can be suspended and tracked in response to emergency
events.
CIP-007-5 R4: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, one or more
documented processes that collectively include each of the applicable
requirement parts in CIP-007-5 Table R4 – Security Event Monitoring.
1. Ensure a clear escalation path exists between routine system monitoring activities and the recovery
plans.
CIP-009-5 R1: Each Responsible Entity shall have one or more
documented recovery plans that collectively include each of the
applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan
Specifications.
1. Establish an enterprise emergency response capability that addresses assets in multiple security zones,
and recovery plans give precedence to higher risk systems.
CIP-009-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, its documented
recovery plan(s) to collectively include each of the applicable
requirement parts in CIP‐009‐5 Table R2 – Recovery Plan
Implementation and Testing
1. Establish an enterprise emergency response capability that addresses assets in multiple security zones,
and recovery plans give precedence to higher risk systems.
CIP-009-5 R3: Each Responsible Entity shall maintain each of its
recovery plans in accordance with each of the applicable requirement
parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and
Communication.
1. Establish an enterprise emergency response capability that addresses assets in multiple security zones,
and recovery plans give precedence to higher risk systems.
CIP-003-5 R1 - 1.6: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Recovery plans for BES Cyber Systems
(CIP‐009);
1. Ensure security policy defines criteria for managing updates to recovery plans
CIP-009-5 R3: Each Responsible Entity shall maintain each of its
recovery plans in accordance with each of the applicable requirement
parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and
Communication.
1. Ensure response plans define a process for after-action review of all activities associated with a real or
simulated event, including a defined communications plan.
CIP-003-5 R1 - 1.6: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Recovery plans for BES Cyber Systems
(CIP‐009);
1. Ensure security policy defines criteria for managing updates to recovery plans
CIP-009-5 R3: Each Responsible Entity shall maintain each of its
recovery plans in accordance with each of the applicable requirement
parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and
Communication.
1. Ensure response plans are informed by the risk program, and are routinely updated
RC.CO-1: Public Relations are managed TVM-1d
IR-4d
RM-1c 1. Within the context of the incident and emergency response program, define a communications plan that
specifically addresses external stakeholders
2. Create pre-defined templates for communications in response to predictable events
RC.CO-2: Reputation after an event is repaired IR-4d 1. Within the context of the incident and emergency response program, define a communications plan that
specifically addresses external stakeholders
2. Create pre-defined templates for communications in response to predictable events
CIP-003-5 R1 - 1.6: Each Responsible Entity, for its high impact and
medium impact BES Cyber Systems, shall review and obtain CIP
Senior Manager approval at least once every 15 calendar months for
one or more documented cyber security policies that collectively
address the following topics: Recovery plans for BES Cyber Systems
(CIP‐009);
1. Ensure security policy defines criteria for communications to all stakeholders
CIP-009-5 R1: Each Responsible Entity shall have one or more
documented recovery plans that collectively include each of the
applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan
Specifications.
1. Ensure recovery plans include communications criteria based on severity of event
RC.CO-3: Recovery activities are
communicated to internal stakeholders and
executive and management teams
IR-3d IR-5e
RC.IM-2: Recovery strategies are updated IR-3h
IR-3k
Improvements (IM): Improvements (IM): Recovery
planning and processes are improved by incorporating
lessons learned into future activities.
Communications (CO): Restoration activities are
coordinated with internal and external parties, such as
coordinating centers, Internet Service Providers, owners
of attacking systems, victims, other CSIRTs, and
vendors.
RECOVER
(RC)
Page 33 of 34
MIL 1 MIL 2 MIL 3
Mapping of NIST Cybersecurity Framework to NERC CIP version 5
Nov-14
C2M2 Practices **
Function Category Subcategory NERC CIP v5 Guidance for combined NERC CIP v5 & NIST CSF
CIP-009-5 R2: Each Responsible Entity shall implement, in a manner
that identifies, assesses, and corrects deficiencies, its documented
recovery plan(s) to collectively include each of the applicable
requirement parts in CIP‐009‐5 Table R2 – Recovery Plan
Implementation and Testing.
1. Implement communications protocols during an actual or simulated event
CIP-009-5 R3: Each Responsible Entity shall maintain each of its
recovery plans in accordance with each of the applicable requirement
parts in CIP‐009‐5 Table R3 – Recovery Plan Review, Update and
Communication.
1. Update communications protocols as necessary to match the changing business
Abbrevi-
ationDomain
ACM Asset, Change, and Configuration Management
CPM Cybersecurity Program Management
EDMSupply Chain and External Dependancies Management
IAM Identity and Access Management
IREvent and Incident Response, Continuity of Operations
ISC Information Sharing and Communications
RM Risk Management
SA Situational Awareness
TVM Threat and Vulnerability Management
WM Workforce Management
** C2M2 Domains and Abbreviations
Page 34 of 34