Review and approval of cyber security policies

Low-impact cyber security plan implementation

CIP Senior Manager assignment

Delegation of authority

Security awareness program

Cyber security training program

Personnel risk assessment program

Access management program

Access revocation

Access management for BCS information

Applicable systems must be protected by an Electronic Security Perimeter (ESP)

Listing of all ESPs and all systems connected within that use a routable protocol.

Deny all routable traffic through the ESP, except what is deemed necessary (excludes time-sensitive protection systems)

Network infrastructure and Electronic Access Point (EAP) configuration.

Deny all routable traffic to/from all management interfaces of Shared Cyber Infrastructure (SCI) or Electronic Access Controller Monitoring Systems w/associated SCI, except what is deemed necessary.

Documentation of access enforcement or configuration/settings logically isolating the management plane.

Authentication of dial-up connections.

Detection of malicious Internet Protocol (IP) ingress/egress ESP traffic.

Documentation that detection methods have been implemented.

Protecting data over links spanning between separate Physical Security Perimeters (PSPs) within an ESP.

Proof of data encryption.

Interactive Remote Access (IRA) only allowed through an "intermediate system".

Evidence that all IRA funnels through an intermediate system.

Protection of IRA communications between Virtual Cyber Assets (VCAs) and the intermediate system.

Details of confidentiality and integrity controls.

Multi-factor authenticated access to the intermediate system for IRA use.

Details of authenticators used.

Detection of active vendor IRA sessions or system-to-system remote access.

Documentation of detection methods, such as monitoring logs and active sessions, and recording requests for nth-factor information to be used for access.

Methods for disabling active vendor access

Details of methods.

The "intermediate system" of R2.1 cannot share CPU or memory with any part of a high- or medium-impact BCS and must restrict its routable communication to BCSs and their associated Protected Cyber Assets via an ESP

Documentation of architecture, configuration, and settings.

Methods to identify vendor remote sessions

Documentation of detection methods.

Supported

Methods to terminate vendor remote connections and block reconnection.

Details of methods.

Supported

Physical Security Plan.

Visitor Control Plan.

Physical Access Controls Maintenance/Testing.

Disable/prevent unnecessary connections with routable protocol to applicable systems.

Supported

Protect against unnecessary physical port usage.

N/A

Cyber security patch management process (evaluate and install), including tracking newly released/available patches.

Documentation of process and proof of monitoring sources for latest.

Supported

Evaluation of latest cyber security patches every ≤35 days.

Evidence of evaluation.

Supported

Action required on patches evaluated to apply, create a dated plan, or revise an existing dated plan.

Dated records showing implementation, or plans showing timeframe for completion.

Supported

Planned actions for R2.3 must be within planned timeframes specified (or exception approved).

Dated records showing implementation, or approved revisions/exceptions.

Supported

Methods to deter, detect, and prevent malicious code.

Evidence of process.

Supported

Plan for mitigating detected malicious code.

Records of process performance.

Supported

Plan for updating "signatures or patterns" identified as malicious.

Plans for updating process from R3.1 to address testing/installing the signatures or patterns.

Supported

Log security events to identify cyber security incidents including successful login, failed access/login attempts, and malicious code.

Listing of event types capable of being detected and logged.

Supported

Alert for detected malicious code event or failure of event logging system.

Listing of events or system configuration.

Supported

Retain logged security events for at least 90 days.

Documentation of event log retention process and retention of ≥90 days.

Supported

Review a summary or sampling of logged events at least every 15 days.

Dated documentation of review and findings.

Supported

Methods to enforce authentication of interactive user access.Description of access authentication.

Supported

Identify/inventory all enabled default/generic accounts by system, system groups, location, or system type.

Listing of all accounts by type, in use.

Supported

Identify all individuals with authorized access to shared accounts.

Listing of all shared accounts and individuals who have access.

Supported

Change default passwords.

Dated records of updates.

Supported

For password-only authenticated systems, also meet passwords of at least 8 characters and complex (three of more different characters of uppercase, lowercase, numeric, and non-alphanumeric) or of max. system capability.

N/A

For password-only authenticated systems, passwords must be rotated at least once per 15 months.

N/A

Alert for unsuccessful authentication attempts (user-defined threshold).

Supported

Cyber security incident response plan.

Cyber security incident response plan implementation/testing.

Cyber security incident response plan review/update/communicate.

Conditions for activation of the recovery plans.

N/A

Roles and responsibilities of responders.

N/A

Process(es) for backup/storage of info required to restore functionality.

Evidence of processes/configurations for backup/storage of information to fully recover BCSs.

Supported

Methods for verifying backup/storage.

Evidence of successful backup (for example, logs, workflow).

Supported

Methods to preserve data.

Documentation of procedures for preserving data by redundancy or other disaster recovery methods.

Supported

Testing of each recovery plan identified in R1, at least every 15 months.

Dated evidence from an actual incident, tabletop drill/exercise, operational exercise.

Supported

Testing a sample of information used to recover, at least every 15 months.

Dated logs or test results.

Supported

Test each recovery plan every three years.

Dated evidence from an actual incident or operational exercise.

Supported

No later than 90 days after completing a test or actual recovery: document lessons learned, update plans, communicate changes.

No later than 60 days after a change is made, update and notify affected personnel.

Control changes made to software systems to avoid weakening systems by authorization and verification of cyber security controls.

Documented process for any changes to be made to security controls implemented for CIP-005 and -007. This includes the installation, update, or removal of operating systems, applications, firmware, or patches. This also includes configuration changes to network access, SCI/ESPs between systems of different impact ratings, or to parent images from which child images are derived. Change management (dated requests and change application, along with output of vulnerability scans) required.

Intended changes in production environment to be tested either in an isolated environment or in a manner that minimizes adverse effects (ensuring cyber security remains in-tact throughout duration), and test results are documented to include any differences existing between production and test environments.

Documentation of the testing and any differences in the test and production environment.

Verify the identity and integrity of changes before application.

Evidence of a process that verifies intended software changes (operating systems, applications, firmware, or patches) with its source, prior to implementation.

Method to monitor for unauthorized changes to software/settings at least every 35 days.

Evidence of a monitoring system with records for investigation of any changes detected.

Supported

Conduct an active vulnerability assessment of Electronic Access Controller Monitoring Systems (EACMS), Physical Access Control Systems (PACS), and Protected Cyber Assets (PCAs) at least every 15 calendar months.

Dated documentation of assessment output

Supported

Conduct active vulnerability assessment of high-impact SCI at least every three years.

Dated documentation of assessment output and any differences between test and production environments.

Supported

Conduct vulnerability assessment on any new system prior to application.

Dated documentation of assessment output, prior to becoming an applicable system.

Supported

Documentation and mitigation planning for vulnerability assessments, including dated plan of action.

Reports or logs from automated mechanisms that perform remediation of assets at instantiation.

Supported

Transient Cyber Assets (TCAs) that are self-managed must meet requirements before connection for all users and locations, only be used as needed to perform business functions. They must be securely patched and have vulnerability mitigation, and methods for mitigating malicious code.

Documentation of management methods, overall architecture, and hardening practices, along with malicious code mitigation and access restriction.

Supported

TCAs managed by a 3rd party must have methods to mitigate vulnerabilities and malicious code.

Evidence of change management processes (may include cataloging machine states for all software and security patches installed, patching and update methods, whitelisting capabilities, and vulnerability mitigation practices).

Supported

Removable media must be authorized by user and location and must have methods in place to detect malicious code and threat mitigation of it.

Documentation of authorized removable media types and individuals or groups/roles, and the methods used to scan/detect/mitigate malicious code.

Supported

Identification of BES Cyber System Information (BCSI), which could be leveraged to gain unauthorized access.

N/A

Protection and secure handling of BCSI.

N/A

Protection to mitigate risk of disclosure of real-time assessment and monitoring data.

Documented plan meeting the security objectives and dated demonstration of implementation.

Supported

Location of protection implemented for R1.1

N/A

Identification of responsible entities if ownership of control centers differs.

N/A

Process to assess risk in procurement, including transitions from vendor-to-vendor, and installation of products and services.

Documented SCRM plan

Supported

Processes to:

1. Receive notification of vendor incident.

2. Coordinate vendor incident response

3. Terminate vendor access

4. Receive disclosure of known vulnerabilities

5. Verify software integrity and authenticity (including updates/patches)

6. Coordinate controls for vendor remote access

Evidence of methods used to address all specific processes listed

Supported

Implemented supply chain cyber security risk management plan

N/A

Approval of implemented plan by CIP Senior Manager, recurring a minimum of every 15 months

N/A