Project 2023-09 Risk Management for Third-Party Cloud Services

​​​Related Files​

​Status
The formal comment period for the Project 2023-09 Risk Management for Third-party Cloud Services Standard Authorization Request concluded 8 p.m. Eastern, Monday, July 1, 2024. The comments received can be accessed via the link below. The drafting team will review all responses received during the commnet period and determine the next steps of the project.

​Background
From a security perspective, the electric industry landscape is facing an increase in the number and sophistication of cyberattacks and security teams are seeking tools and capabilities to improve their security programs. Security solutions with greater visibility, detection, correlation, analytics, and responsiveness are available using cloud services to help security teams to reduce potential impacts of security events and speed recovery, while also protecting data confidentiality and integrity. Cloud services can provide increased availability, including resiliency, due to the scalability, redundancy, high availability, and fault tolerance. Cloud services play a critical role in providing greater capability across the security domains. Additionally, as noted in the 2020 FERC Notice of Inquiry, the vast majority of new products from vendors are cloud-based solutions placing increased pressure on NERC registered entities to securely operate the BES. Concurrently, from an operational and reliability perspective, the modern power grid landscape is changing, driven by rapid grid modernization, digital transformation, decentralization of electric resources, and decarbonization targets. These factors are increasing the data volumes required to continue operating a reliable and resilient grid and thus increasing the need for data analytics and resources such as computing, network, and storage. Entity operations for assets across the NERC CIP impact levels will be facing the growing demands for compute capacity to manage the increasing volumes of data to respond to grid variability and maintain reliable grid operations. Increasing data storage requirements and processing requirements of grid modernization are driving the need for cloud services. Cloud resources provide Entities with expanded simulation capabilities and development environments that can help meet patching cycles and testing requirements for on premises assets under the CIP requirements. Cloud services offer fault-tolerant system design capabilities in which operations and data can be replicated and run in independent application stacks in geographically dispersed locations along with other benefits, including reliability, resilience, and security.

Standard(s) Affected: ​
CIP-002, CIP-003, CIP-004, CIP-005, CIP-006, CIP-007, CIP-008, CIP-009, CIP-010, CIP-011, CIP-012, CIP-013 and CIP-014​. Additional standard revisions may be determined by the drafting team​.

Purpose/Industry Need
The project purpose is to establish risk-based, outcome-driven requirements that place cloud services on par with other third-party resources already used for CIP-regulated systems including for BES operations and supporting cyber assets. This project will allow, but not require, use of cloud services for CIP-regulated systems including BES operations and supporting cyber assets. As explained in NERC's 2019 whitepaper on “Virtualization and Future Technologies1​," the reliance on p​hysical assets in the current standards prevents the use of cloud services in a compliant manner for some systems such as those defined as BES Cyber Systems or EACMS. The goals are to develop specific modifications to the CIP Standards, or create a new standard(s), to add clarity in allowing for the adoption and auditability of cloud services used for the BES. These revisions will increase reliability and security to the Bulk Electric System (BES) by allowing the use of advanced technologies that support Entities in managing grid modernization and the changing grid landscape as well as making available to security teams all resources that can reduce potential impact and speed recovery from security events.


Subscribe to this project's observer mailing list 
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2023-09 Risk Management for Third-Party Cloud Services" in the Title and Description Boxes.

1https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20RF/Project%202016-02_Virtualization_and_Future_Technologies_Case_for_Change_White_Paper_04182019.pdf


Draft

Actions

Dates

Results
Consideration of Comments
Standard Authorization Request
Clean | Redline​​​
The Standards Committee accepted ​the SAR on December 10, 2024​​

​​Standard Authorization Request


Supporting Materials

Unofficial Comment Form (Word)
Comment Period

Updated Info​

Info

Submit Comments


05/10/24 - 07/01/24
(Extended)


Comments Received​


Consideration of Comments​
​Drafting Team Nominations

Supporting Materials

Unofficial Nomination Form (Word)
​Nomination Period

Info

Submit Nominations


05/10/24 - 06/10/24

​​Standard Authorization Request
The Standards Committee accepted the SAR on December 13, 2023
 

​