Project 2020-03 Supply Chain Low Impact Revisions

Status - CIP-003-9

Board Adopted: November 16, 2022

Filed with FERC: December 6, 2022

Background
In its final report accepted by the NERC Board in May 2019, NERC documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards and recommended actions to address those risks. NERC staff recommended further study to determine whether new information supports modifying the standards to include low impact BES Cyber Systems with external connectivity by issuing a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure.

The Board approved the formal issuance of this data request on August 15, 2019. NERC collected the data from August 19 through October 3, 2019. A final report, Supply Chain Risk Assessment, was published in December 2019. The report recommended the modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity. Further, industry feedback was received regarding this recommendation at the February 2020 NERC Board meeting through MRC Policy Input.

After considering policy input, the NERC Board adopted a resolution to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Standard(s) Affected – CIP-003-8

Purpose/Industry Need
This project will address the NERC Board resolution adopted at its February 2020 to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Subscribe to this project's observer distribution list
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2020-03 Supply Chain Low Impact Revisions Observer List” in the Description Box.

Draft	Actions	Dates	Results	Consideration of Comments
Final Draft Clean \| Redline to Last Posted \| Redline to Last Approved Implementation Plan Clean \| Redline Supporting Materials Technical Rationale Clean \| Redline VRF/VSL Justifications Reliability Standard Audit Worksheet (RSAW)	Final Ballot Info Vote	10/26/22 - 11/04/22	Ballot Results
Draft 3 CIP-003-X Clean \| Redline Implementation Plan Clean \| Redline Supporting Materials Unofficial Comment Form (Word) Technical Rationale Clean \| Redline VRF/VSL Justifications	Additional Ballot and Non-binding Poll Updated Info Info Vote	08/10/22 – 08/19/22	Ballot Results Non-binding Poll Results
	Comment Period Info Submit Comments	07/06/22 – 08/19/22	Comments Received	Consideration of Comments
Draft 2 CIP-003-X Clean \| Redline Implementation Plan Clean \| Redline Supporting Materials Unofficial Comment Form (Word) Technical Rationale Clean \| Redline VRF/VSL Justifications	Additional Ballot and Non-binding Poll Updated Info (Ballot Open Reminder) Info (Updated) Vote	04/06/22 - 04/15/22 (Updated prevent projects closing on the same days)	Ballot Results Non-binding Poll Results
	Comment Period Info (Updated) Submit Comments	02/25/22 - 04/15/22 (Updated to prevent projects closing on the same days)	Comments Received	Consideration of Comments
Draft 1 CIP-003-X Clean \| Redline Implementation Plan Supporting Materials Unofficial Comment Form (Word) VRF and VSL Justifications Technical Rationale	Initial Ballot and Non-binding Poll Updated Info Info Vote	10/01/21- 10/11/21	Ballot Results Non-binding Poll Results
	Join Ballot Pools	08/27/21 - 09/27/21
	Comment Period Info Submit Comments	08/27/21- 10/11/21	Comments Received	Consideration of Comments
Standard Authorization Request (SAR) Clean \| Redline	The Standards Committee accepted the SAR on February 17, 2021
Supplemental Drafting Team Nominations Unofficial Nomination Form (Word)	Nomination Period Info Submit Nominations	07/30/20 - 08/13/20
Standard Authorization Request Supporting Materials Unofficial Comment Form (Word)	Comment Period Info (Updated) Submit Comments	04/03/20 - 06/03/20 (Extended)	Comments Received	Summary Response to Comments
Drafting Team Nominations Supporting Materials Unofficial Nomination Form (Word)	Nomination Period Info (Updated) Submit Nominations	04/03/20 - 06/03/20 (Extended)

Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560
Washington Office | 1401 H Street NW, Suite 410, Washington, DC 20005| 202-400-3000

Group Health Plan Transparency in Coverage Files*

*This link leads to the machine-readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.

Project_2020-03_Supply_Chain_Low_Impact_Revisions // <![CDATA[ _spBodyOnLoadFunctionNames.push("setupPageDescriptionCallout"); // ]]>

Project_2020-03_Supply_Chain_Low_Impact_Revisions