Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
NERC CIP
NERC CIP Standards and Requirements (excluding CIP-014-3)
| Term | Definition |
|---|---|
| CIP-002-5.1a R1 | Implement a process to identify high, medium, and low impact BES Cyber Systems. |
| CIP-002-5.1a R2 | (2.1) Review CIP-002 R1 at least once every 15 calendar months and (2.2) have the CIP Senior Manager or delegate approve the identifications by R1 every 15 calendar month. |
| CIP-003-8 R1 | Review and obtain CIP Senior Manager approval at least every 15 calendar months for documented cyber security policies that collectively address the list in this standard. |
| CIP-003-8 R2 | Implement one or more documented cyber security plan(s) for low impact BES Cyber Systems that include the sections in Attachment 1. |
| CIP-003-8 R3 | Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change. |
| CIP-003-8 R4 | Implement a documented process to delegate CIP Senior Manager authority, unless no delegations are used. |
| CIP-004-7 R1.1 | Security awareness that, at least once each calendar quarter, reinforces cyber/physical security practices for personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems. |
| CIP-004-7 R2.1 | Have training content on the topics covered in 2.1.1 - 2.1.9. |
| CIP-004-7 R2.2 | Require completion of the training specified in Part 2.1 prior to granting authorized electronic access and authorized unescorted physical access to applicable Cyber Assets, except during CIP Exceptional Circumstances. |
| CIP-004-7 R2.3 | Require completion of the training specified in Part 2.1 at least once every 15 calendar months. |
| CIP-004-7 R3.1 | Process to confirm identity. |
| CIP-004-7 R3.2 | Process to perform a seven year criminal history records check that includes (3.2.1) current residence and (3.2.2) any prior residence the subject has resided for six consecutive months or more. |
| CIP-004-7 R3.3 | Criteria or process to evaluate criminal history records checks for authorizing access. |
| CIP-004-7 R3.4 | Criteria or process for verifying that personnel risk assessments performed for contractors or service vendors are conducted according to Parts 3.1 through 3.3. |
| CIP-004-7 R3.5 | Process to ensure that individuals with authorized electronic or authorized unescorted physical access have had a personnel risk assessment completed according to Parts 3.1 to 3.4 within the last seven years. |
| CIP-004-7 R4.1 | Process to authorize based on need: (4.1.1) Electronic access; (4.1.2) and Unescorted physical access into a Physical Security Perimiter |
| CIP-004-7 R4.2 | Verify at least once each calendar quarter that individuals with active electronic access or unescorted physical access have authorization records. |
| CIP-004-7 R4.3 | For electronic access, verify at least once every 15 calendar months that all user accounts, user account groups, or user role categories, and their specific, associated privileges are correct and are those that are determined to be necessary. |
| CIP-004-7 R5.1 | Implement a process to initiate removal of an individual's ability for unescorted physical access and IRA upon a termination action, and complete removal within 24 hours. |
| CIP-004-7 R5.2 | For reassignments or transfers, revoke unnecessary access by the end of the next calendar day following the date the entity determines the individual no longer needs access. |
| CIP-004-7 R5.3 | For termination actions, revoke non-shared user accounts within 30 calendar days. |
| CIP-004-7 R5.4 | For termination actions, change passwords for shared accounts known to the user within 30 calendar days (or 10 days following a situation where 30 days is not feasible). |
| CIP-004-7 R6.1 | Prior to provisioning, authorize based on need (6.1.1) Provisioned electronic access to electronic BCSI; and (6.1.2) Provisioned physical access to physical BCSI. |
| CIP-004-7 R6.2 | Verify every 15 months that all individuals with BCSI access (6.2.1) have an authorized record; and (6.2.2) still need the provisioned access to perform work functions. |
| CIP-004-7 R6.3 | For termination actions, remove the individual's ability to use BCSI by the end of the next calendar day. |
| CIP-005-7 R1.1 | All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. |
| CIP-005-7 R1.2 | All External Routable Connectivity must be through an identified Electronic Access point (EAP). |
| CIP-005-7 R1.3 | Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. |
| CIP-005-7 R1.4 | Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. |
| CIP-005-7 R1.5 | Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. |
| CIP-005-7 R2.1 | For all IRA, utilize an Intermediate System such that the Cyber Asset initiating IRA does not directly access an applicable Cyber Asset. |
| CIP-005-7 R2.2 | For all IRA sessions, utilize encryption that terminates at an Intermediate System. |
| CIP-005-7 R2.3 | Require MFA for all IRA sessions. |
| CIP-005-7 R2.4 | Have one or more methods for determining active vendor remote access sessions (including IRA and system-to-system remote access). |
| CIP-005-7 R2.5 | Have one or more method(s) for determining active vendor remote access sessions (including IRA and system-to-system remote access). |
| CIP-005-7 R3.1 | Have one or more method(s) to determine authenticated vendor-initiated remote connections. |
| CIP-005-7 R3.2 | Have one or more method(s) to terminate authenticated vendor-initiated remote connections and control the ability to reconnect. |
| CIP-006-6 R1.1 | Define operational or procedural controls to restrict physical access. |
| CIP-006-6 R1.2 | Utilize at least one physical access control to allow unescorted physical access into the PSPs to only authorized individuals. |
| CIP-006-6 R1.3 | Where technically feasible, utilize two or more different physical access controls to allow unescorted physical access into the PSPs to only authorized individuals. |
| CIP-006-6 R1.4 | Monitor for unauthorized access through a physical access point into a PSP |
| CIP-006-6 R1.5 | Issue an alarm in response to detected unautorized access through a physical access point into a PSP to the personnel identified in the BES CSIRP within 15 minutes of detection. |
| CIP-006-6 R1.6 | Monitor each PACS for unauthorized physical access to a PACS. |
| CIP-006-6 R1.7 | Issue an alarm or alert in response to detected unauthorized physical access to a PACS to the personnel identified in the BES CSIRP within 15 minutes of detection. |
| CIP-006-6 R1.8 | Log entry of each individual with authorized unescorted physical access into each PSP, with information to identify the individual and date and time of entry. |
| CIP-006-6 R1.9 | Retain physical access logs of entry of individuals with authorized unescorted physical access into each PSP for at least 90 calendar days. |
| CIP-006-6 R1.10 | Restrict physical access to cabling and other nonprogrammable communication components used for connection between Cyber Assets in the same ESP when such cabling and components are located outside of a PSP |
| CIP-006-6 R2.1 | Require continuous escorted access of visitors within each PSP except during CIP exceptional circumstances. |
| CIP-006-6 R2.2 | Require manual or automated logging of visitor entry into and exit from the PSP that includes date and time of initial entry and last exit, name, and point of contact responsible for the visitor except during CIP exceptional circumstances. |
| CIP-006-6 R2.3 | Retain visitor logs for at least 90 calendar days. |
| CIP-006-6 R3.1 | Maintenance and testing of each PACS and locally mounted hardware or devices at the PSP at least once every 24 calendar months to ensure they function properly. |
| CIP-007-6 R1.1 | Enable only logical network accessible ports that have been determined to be needed by the entity, including dynamic/ranges. If a device cannot provision ports, those port are deemed needed. |
| CIP-007-6 R1.2 | Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or Removable Media. |
| CIP-007-6 R2.1 | Have a patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall identify a patch source. |
| CIP-007-6 R2.2 | Evaluate security patches at least every 35 days |
| CIP-007-6 R2.3 | Within 35 days of the patch evaluation completion, (1) apply the applicable patches, (2) create a dated mitigation plan, or (3) revise an existing mitigation plan. |
| CIP-007-6 R2.4 | For each mitigation plan created from R2.3, implement the plan within the specified timeframe unless a revision is approved and signed off by the CIP Senior Manager or delegate. |
| CIP-007-6 R3.1 | Deploy method(s) to deter, detect, or prevent malicious code. |
| CIP-007-6 R3.2 | Mitigate the threat of detected malicious code. |
| CIP-007-6 R3.3 | For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of signatures or patterns. The process must address testing and installing the signatures or patterns. |
| CIP-007-6 R4.1 | Log events at the BCS or Cyber Asset level for identification and investigation of, Cyber Security Incidents that include: (4.1.1) Detected successful login attempts, (4.1.2) Detected failed access and login attempts, and (4.1.3) Detected malicious code) |
| CIP-007-6 R4.2 | Generate alerts for security events that the entity determines necessitates an alert, that includes as a minimum: (4.2.1) Detected malicious code from R4.1, and (4.2.2) Detected failure of R4.1 event logging. |
| CIP-007-6 R4.3 | Where technically feasible, retain applicable event logs identified in R4.1 for at least the last 90 consecutive calendar days except under CIP exceptional circumstances. |
| CIP-007-6 R4.4 (High) | Review a summarization or sampling of logged events every 15 calendar days to identify undetected Cyber Security Incidents. |
| CIP-007-6 R5.1 | Have a method(s) to enforce authentication of interactive user access, where technically feasible. |
| CIP-007-6 R5.2 | Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s). |
| CIP-007-6 R5.3 | Identify individuals who have authorized access to shared accounts. |
| CIP-007-6 R5.4 | Change known default passwords, per Cyber Asset capability. |
| CIP-007-6 R5.5 | For password-only authentication, technically or procedurally enforce (5.5.1) password length that is at least 8 characters or the max length supported, and (5.5.2) has at least three different types of characters or the max complexity supported. |
| CIP-007-6 R5.6 | For password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. |
| CIP-007-6 R5.7 | Where technically feasible, either limit the number of unsuccessful authentication attempts, or generate alerts after a threshold of unsuccessful authentication attempts. |
| CIP-008-6 R1.1 | One or more processes to identify, classify, and respond to Cyber Security Incidents. |
| CIP-008-6 R1.2 | One or more processes (1.2.1) that include criteria to evaluate and define attempts to compromise, (1.2.2) to determine if an identified Cyber Security Incident is reportable or an attempt to compromise, and (1.2.3) To provide notification per R4. |
| CIP-008-6 R1.3 | [Document the] roles and responsibilities of Cyber Security Incident response groups or individuals. |
| CIP-008-6 R1.4 | Incident handling procedures for Cyber Security Incidents. |
| CIP-008-6 R2.1 | Test each Cyber Security Incident response plan(s) at least once every 15 calendar months by responding to an actual reportable incident, with a paper drill or tabletop exercise, or with an operational exercise. |
| CIP-008-6 R2.2 | Use the Cyber Security Incident response plan(s) under R1 when responding to a reportable incident, an incident that attempted to compromise a system, or performing an exercise. Document deviations. |
| CIP-008-6 R2.3 | Retain records related to Reportable Cyber Security Incidents and attempts to compromise. |
| CIP-008-6 R3.1 | Within 90 days of a CSIRP test or actual reportable incident, (3.1.1) document lessons learned (or absence of), (3.1.2) update the CSIRP based on lessons learned, and (3.1.3) notify each person or group with a role in the CSIRP of the updates to the plan. |
| CIP-008-6 R3.2 | Within 60 days after a change to the roles or responsibilities, CSIRP groups or individuals, or technology that would impact the plan, (3.2.1) update the CSIRP and (3.2.2) notify each person or group with a defined role in the CSIRP of the updates. |
| CIP-008-6 R4.1 | Initial notifications and updates shall include the following attributes: (4.1.1) The functional impact, (4.1.2) The attack vector used, and (4.1.3) the level of intrusion that was achieved or attempted. |
| CIP-008-6 R4.2 | After the entity's determination made pursuant to document process(es) in R1.2, provide initial notification within (1) one hour after the determination of a reportable incident, and (2) by the end of the next calendar day after an attempt to compromise. |
| CIP-008-6 R4.3 | Provide updates, if any, within 7 calendar days of determination of new or changed attribute information required in R4.1. |
| CIP-009-6 R1.1 | [Document] conditions for activation of the recovery plan(s). |
| CIP-009-6 R1.2 | [Document the] roles and responsibilities of responders. |
| CIP-009-6 R1.3 | [Document] one or more processes for the backup and storage of information required to recover BES Cyber System functionality. |
| CIP-009-6 R1.4 | [Document] one or more processes to verify the successful completion of the backup processes in R1.3 and to address any backup failures |
| CIP-009-6 R1.5 | [Document] one or more processes to preserve data, per Cyber Asset capability, for determining the cause of a Cyber Security incident that triggers activation of the recovery plan(s), Data preservation should not impede or restrict recovery. |
| CIP-009-6 R2.1 | Test each of the recovery plans referenced in R1 at least once every 15 calendar months by recovering from an actual incident, with a paper drill or tabletop exercise, or with an operational exercise. |
| CIP-009-6 R2.2 | Test a representative sample of information used to recover BCS functionality at least once every 15 calendar months to ensure the information is useable and compatible with current configurations. An actual recovery substitutes for this test. |
| CIP-009-6 R2.3 (High) | Test each of the recovery plans referenced in R1 at least once every 36 calendar months through an operational exercise in an environment representative of the production environment. An actual recovery response may substitute for an operational exercise. |
| CIP-009-6 R3.1 | No later than 90 days after completion of a recovery plan test or actual recovery, (3.1.1) document lessons learned, (3.1.2) update the recovery plan based on lessons learned, and (3.1.3) notify each person or group with a defined role of the update. |
| CIP-009-6 R3.2 | No later than 60 days after a change to roles or responsibilities, responders, or technologies that would impact the ability to execute the recovery plan, (3.2.1) update the plan, and (3.2.2) notify each person or group with a defined role of the update. |
| CIP-010-4 R1.1 | Develop a baseline configuration, individually or by group, that includes the following items: (1.1.1) OS or firmware, (1.1.2) Commercial or open source software, (1.1.3) Custom software, (1.1.4) Logical ports, and (1.1.5) Security patches. |
| CIP-010-4 R1.2 | Authorize and document changes that deviate from the existing baseline configuration. |
| CIP-010-4 R1.3 | For any change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change. |
| CIP-010-4 R1.4 | For a change that deviates from the baseline: (1.4.1) Prior to change, determine cyber security controls in CIP 5 & 7 that could be impacted, (1.4.2) after the change, verify controls from 1.4.1 were not affected, and (1.4.3) document verification results |
| CIP-010-4 R1.5 (High) | Where technically feasible, for each baseline change, (1.5.1) test changes in a test environment, and (1.5.2) document test results. |
| CIP-010-4 R1.6 | Prior to a baseline change associated with 1.1.1, 1.1.2, and 1.1.5, (1.6.1) verify the identity of the software source, and (1.6.2) verify the integrity of the software obtained from the software source. |
| CIP-010-4 R2.1 | Monitor at least once every 35 calendar days for changes to the baseline configuration as described in R1.1. Document and investigate detected unauthorized changes. |
| CIP-010-4 R3.1 | At least once every 15 calendar months, conduct a paper or active vulnerability report. |
| CIP-010-4 R3.2 (High) | Where technically feasible, at least once every 36 months: (3.2.1) perform an active vulnerability assessment in a test environment or in a production environment where minimal disruptions will occur, and (3.2.2.) document results of the test. |
| CIP-010-4 R3.3 (High) | Prior to adding a new CA to a production environment, perform an active vulnerability assessment of the new CA, except for CIP Exceptional Circumstances and like replacements with matching baseline configurations of previous or other existing CAs. |
| CIP-010-4 R3.4 | Document results of the assessments conducted according to R3.1, R3.2, and R3.3 and the action plan to mitigate vulnerabilities found in the assessments including planned date of completing the action plan and status of any mitigation action items. |
| CIP-010-4 R4 | The entity, for its high and medium impact BES Cyber Systems and associated PCAs, shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) for TCAs and Removable Media that include the sections in Attachment 1. |
| CIP-011-3 R1.1 | Method(s) to identify BCSI. |
| CIP-011-3 R1.2 | Method(s) to protect and securely handle BCSI to mitigate risks of compromising confidentiality. |
| CIP-011-3 R2.1 | Prior to the release for reuse of applicable CAs that contain BCSI (except for reuse within other systems identified in the “Applicable Systems” column), the Entity shall take action to prevent unauthorized retrieval of BCSI from the CA data storage media |
| CIP-011-3 R2.2 | Prior to the disposal of applicable CAs that contain BCSI, the Entity shall take action to prevent the unauthorized retrieval of BCSI from the CA or destroy the data storage media. |
| CIP-012-1 R1 | Implement one or more documented plans to mitigate risks posed by unauthorized disclosure and/or modification of Real-Time assessment/monitoring data while being transmitted between applicable Control Centers. Not required to document oral communication. |
| CIP-012-1 R1.1 | Identification of security protection used to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers. |
| CIP-012-1 R1.2 | Identification of where the Responsible Entity applied security protection for transmitting Real-time Assessment and Real-time monitoring data between Control Centers |
| CIP-012-1 R1.3 | If the Control Centers are owned or operated by different Entities, identification of the responsibilities of each Entity for applying security protection to the transmission of Real-time Assessment/monitoring data between those Control Centers. |
| CIP-013-2 R1.1 | Develop one or more processes used in the procurement of BCSs, EACMS, and PACS to assess cyber security risks to the BES from vendor products/services resulting from: (i) installing vendor equipment/software, and (ii) transitions between vendors |
| CIP-013-2 R1.2 | Develop one or more processes used in procuring BCSs, EACMS, and PACS that addresses R1.2.1 through R1.2.6 |
| CIP-013-2 R1.2.1 | Develop one or more processes for R1.2 that addresses notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cybersecurity risk to the Responsible Entity |
| CIP-013-2 R1.2.2 | Develop one or more processes for R1.2 that addresses coordination of responses to vendor identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity |
| CIP-013-2 R1.2.3 | Develop one or more processes for R1.2 that addresses notification by vendors when remote or onsite access should no longer be granted to vendor representatives |
| CIP-013-2 R1.2.4 | Develop one or more processes for R1.2 that addresses disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity |
| CIP-013-2 R1.2.5 | Develop one or more processes for R1.2 that addresses verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and their associated EACMS and PACS |
| CIP-013-2 R1.2.6 | Develop one or more processes for R1.2 that addresses coordination of controls for vendor-initiated remote access |
| CIP-013-2 R2 | Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in R1 |
| CIP-013-2 R3 | Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in R1 at least once every 15 calendar months. |
Created by:
JoshNightingale
Popular Computers sets