Project 2023-04 Modifications to CIP-003

Status

A 30-day formal comment period for CIP-003-11 – Cyber Security – Security Management Controls, is open through 8 p.m. Eastern, Thursday, July 11, 2024.

The third draft of CIP-003 is being posted for a 30-day formal comment and ballot period per the Standard Processes Manual Section 4.12.

An additional ballot for the standard and implementation plan, as well as a non-binding poll of the associated Violation Risk Factors and Violation Severity Levels will be conducted July 2-11, 2024.

Based on recent board adopted standards for CIP-003-9, the posted versions for the 2023-04 Modifications to CIP-003 was updated to reflect CIP-003-11. The Standards Balloting and Commenting System (SBS) does not allow edits once a ballot pool has been formed. Even though the standard versioning within the SBS states CIP-003-A, the version numbers within this posting are correct and entities will be voting on CIP-003-11 and CIP-003-12 in the same ballot.

Background
In light of cybersecurity events and the evolving threat landscape, the NERC Board took action at its February 4, 2021 meeting to direct NERC staff, working with stakeholders, to expeditiously complete its broader review and analysis on facilities that house low impact Bulk Electric System (BES) Cyber Assets. Specifically, the degrees of risk presented by various facilities that house the low impact BES Cyber Assets and report on whether the low impact criteria should be modified. To assist in this evaluation, NERC staff assembled a team of cybersecurity experts and compliance experts representative of a cross section of industry, called the Low Impact Criteria Review Team (LICRT). The LICRT's primary purpose was to discuss the potential threat and risk posed by a coordinated cyber attack on low impact BES Cyber Systems. In its report, the LICRT documented the results of the review and analysis of degrees of risk presented by various facilities that meet the criteria that define low impact cyber facilities and recommends actions to address those risks. The Board accepted the LICRT's report at its November 2022 meeting and asked that the recommendations in the report be initiated. The Standards Committee accepted the SAR at its March 22, 2023 meeting.

Standard Affected: CIP-003-9

Purpose/Industry Need
The LICRT report recognized that low impact BES Cyber Systems may introduce BES reliability risks of a higher impact where distributed low impact BES Cyber Systems are used for a coordinated attack. The team recommended enhancing the existing low impact category to further mitigate the coordinated attack risk. The proposed project will revise CIP-003-9 to add controls to authenticate remote users, protect the authentication information in transit, and detect malicious communications assets containing low impact BES Cyber Systems with external routable connectivity.

Subscribe to this project's observer mailing list
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2023-04 Modifications to CIP-003 Observer List” in the Description Box.

Draft	Actions	Dates	Results	Consideration of Comments
Draft 3 CIP-003-11 Clean \| Redline to Last Posted \| Redline to CIP-003-9 (Last Approved) Implementation Plan CIP-003-12 Redline to CIP-003-9 Implementation Plan Supporting Materials Technical Rationale Unofficial Comment Form VRF/VSL Justifications Summary of Changes	Additional Ballot Info Vote	7/2/24 - 7/11/24
	Comment Period Info Submit Comments	6/12/24 - 7/11/24
Draft 2 CIP-003-A Clean \| Redline to Last Posted \| Redline to Last Approved Implementation Plan Supporting Materials Technical Rationale Unofficial Comment Form VRF/VSL Justifications	Additional Ballot Ballot Open Reminder Info Vote	3/5/24 - 3/14/24	Ballot Results CIP-003-A Implementation Plan Non-binding Poll Results	Consideration of Comments
	Comment Period Info Submit Comments	1/30/24 - 3/14/24	Comments Received	Consideration of Comments
Draft 1 CIP-003-A Clean \| Redline to Last Approved Implementation Plan Supporting Materials Technical Rationale Unofficial Comment Form VRF/VSL Justifications Supplemental Drafting Team Nominations Supporting Materials Unofficial Nomination Form (Word)	Initial Ballot Ballot Open Reminder Info Vote	11/28/23 - 12/07/23	Ballot Results CIP-003-A Implementation Plan Non-binding Poll Results	Consideration of Comments
	Initial Ballot Ballot Open Reminder Info Vote	11/28/23 - 12/07/23
	Join Ballot Pools	10/24/23 - 11/27/23	Comments Received
	Comment Period Info Submit Comments	10/24/23 - 12/07/23
	Supplemental Nomination Period Info Submit Nominations	10/24/23 - 12/07/23
Standard Authorization Request Clean \| Redline	Accepted by the Standards Committee	7/27/2023
Standard Authorization Request Low Impact Criteria Review Team Report Supporting Materials Unofficial Comment Form (Word)	Comment Period Info Submit Comments	3/31/2023 - 5/15/2023	Comments Received	Consideration of Comments
Drafting Team Nominations Supporting Materials Unofficial Nomination Form (Word)	Nomination Period Info Submit Nominations	3/31/2023 - 5/15/2023

Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560
Washington Office | 1401 H Street NW, Suite 410, Washington, DC 20005| 202-400-3000

Group Health Plan Transparency in Coverage Files*

*This link leads to the machine-readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.

Project-2023-04-Modifications-to-CIP-003 // <![CDATA[ _spBodyOnLoadFunctionNames.push("setupPageDescriptionCallout"); // ]]>

Project-2023-04-Modifications-to-CIP-003