| Align Release 1 Update | Why was Align Release 1 delayed? | NERC’s management team decided to delay Release 1, planned for the last quarter of 2019, and NERC's Board accepted the schedule change at its August Board meeting. The primary drivers for the delay are related to ensuring data security, refining compliance audit and investigation business processes, and addressing stakeholder concerns.
The project team continues with its other scheduled activities, including completing user acceptance testing, identifying critical enhancements, completing data integration and reporting efforts, and developing training materials—with the intention of launching Release 1 in 2020. | 9/3/2019 3:41 PM |
| Align Release 1 Update | How will the Release 1 delay impact Align training? | The Align project team will work with regional staff to update the Release 1 training schedule. While exact dates are still being determined, training will likely be completed in Q1/Q2 2020. The Align project team will use the remainder of Q4 to refine training materials and work with the regional project team members to ensure that all impacted Align users are prepared for the Release 1 launch. When the final schedule is published, there will be ample time to register for training. | 9/3/2019 3:42 PM |
| Align Release 1 Update | Will the delay impact the Release 1 features in the Align Tool? | Release 1 will still include self-reporting, self-logs, mitigation, and enforcement activities. | 9/3/2019 3:42 PM |
| Align Release 1 Update | What benefits can be expected from Align Release 1? | The Align project will deliver on the same business objectives originally communicated, which are to:
• Provide a single, common portal for registered entities, enabling consistency of experience;
• Offer real-time access to information, eliminating delays and manual communications;
• Improve capability to support the risk-based compliance oversight framework;
• Enhance quality assurance and oversight, enabling consistent application of the CMEP;
• Improve analytics, including visibility into compliance and reliability risks;
• Increase capability to implement audit best practices and processes (planning, fieldwork, reporting, and quality assurance);
• Standardize the implementation of common business processes and workflows, enabling increased productivity; and
• Reduce application costs across the ERO Enterprise. | 9/3/2019 3:44 PM |
| Align Release 1 Update | How can I stay informed on Align updates and progress? | The Align project team will provide regular updates on our progress toward Release 1. We encourage you to review the Align newsletters, attend regional workshops featuring Align, and reach out to your Align change agent or the Align project team with any additional questions. | 9/3/2019 3:44 PM |
| Align Stakeholder Webinar Questions | Will NERC publically post all questions (unedited) and answers it receives from the Align Webinar? | Updated 4/16/20: All webinar questions are being moved to more approrpiate categories and we are aggregating questions into an FAQ-type response by topic, so repeated questions would not be re-posted or re-answered. NERC may modify the posted questions due to character limitations, readability, entity anonymity, or other such considerations.
| 2/7/2020 1:23 PM |
| Align Update - Release 1 | Who will be involved in the final quality assurance activities & testing for Align Release 1? | Currently, we have internal NERC resources, and several Regional Entity users that will be testing the system. Additionally, we plan on including several volunteers from the registered entity community to review and test the application. We will also be accepting and resolving defects from users during training.
| 2/7/2020 2:01 PM |
| Align/BWise Functionality | When are notifications provided to Registered Entities? When a self-report changes from Preliminary Screening (upon Regional Entity review), are the utilities notified? | Yes, you will get an e-mail notification when a PNC passes prelimainry screening. The majority of notifications will work the same way and go to the Primary Compliance Contact and the Alternate Compliance Contact. Registrered Entities will also be able to see the status change on the My Findings Tab under the Enforcement Processing section when the violation moves from Preliminary Screen to PNC review, etc. Similarly, the entity will also be able to see the status change on Mitigation from draft, CEA review, etc.
| 1/31/2020 3:53 PM |
| Align/BWise Functionality | Will the new Align tool send a confirming submittal email also to the PCC as the OATI database currently does? | No, but you will be able to see the status of the submittal itself from within the Align system.
| 1/31/2020 3:57 PM |
| Align/BWise Functionality | When submitting information in the Align portal, how do we designate any info in narrative as CEII? | In general, CEII should be provided through the locker. The registered entity's narrative should indicate that related information containing CEII is available in the locker. If registered entities include CEII in Align they should designate that section as such in accordance with NERC Rules of Procedure, Section 1500. We [Justin] will develop training and workflows for ensuring the right information is uploaded into Align and the lockers.
| 1/31/2020 3:58 PM |
| Align/BWise Functionality | What user information is stored in the Align system? | The Align tool stores first and last names and contact information (phone numbers and email addresses) in order to identify users and send notifications. The Align system does not store any additional user information.
| 2/7/2020 1:32 PM |
| Align/BWise Functionality | What capabilities does Align have to update the ERO Enterprise Locker reference code and keep an audit trail due to the revision of evidence stored in the locker? | There are absolutely no programmatic connections between Align and the ERO Enterprise Locker. When submitting into the ERO Entperprise Locker, a user will tag evidence with metadata that references Align business objects (e.g., violation ID, RFI ID). Regional Locker Custodians will have the ability to modify metadata as needed. Additionally, there is no capability within the ERO Enterprise Locker to revise evidence. A new version must be uploaded. Those versions will be tracked within the ERO Enterprise Locker itself.
| 2/7/2020 1:50 PM |
| Align/BWise Functionality | Will the format/use of NERC Violation IDs be affected by the new tool? | The violation ID format will be universal, meaning it will not be differentiated by a Region acronym.
| 2/7/2020 2:01 PM |
| Align/BWise Functionality | Will the request for the specific PDS (e.g., FAC-003 or PRC-016 quarterly submittal) be displayed on the initial Align Dashboard page? | Not with this initial release, but it should be in the next release. Depending on the type of PDS, we may announce them in the News section in the short term, but integrating PDS requests so they can be marked as complete from the task list will not be in Release 1.
| 2/7/2020 2:03 PM |
| Align/BWise Functionality | How will a regional entity determine the sensitivity of a registered entity’s information so that that information is not uploaded to Align? | We anticipate that this will evolve over time in partnership with registered entities. There is a balance between not entering sensitive information and merely stating “see locker” as an entry in Align (e.g., self-reports).
| 2/7/2020 2:05 PM |
| Align/BWise Functionality | Is it possible to restrict fields with open text to avoid registered entities updating BSCI information in the tool when creating self-reports, mitigation plans, etc.? | The open text is necessary to describe the circumstances and general nature of the reports, plans, etc. The sensitive information or files themselves should be in the locker.
| 2/7/2020 2:07 PM |
| Align/BWise Functionality | Will we be loading the data FROM a CIP environment? | The ERO Enterprise has no requirement for data to be loaded directly from a CIP environment; however, an entity may choose to load directly from a CIP environment or other entity data repository.
| 2/14/2020 12:20 PM |
| Align/BWise Functionality | Can you elaborate how consolidations of violations are handled? For example, consolidating new self reports into existing, in process Mitigation Plans of the same Requirement and root cause. | This will not change from a substantive perspective in Align; for example, when subsequent Self-Reports describe additional instances of noncompliance, they may be consolidated into an already existing violation ID. For consolidated violations, the registered entity will receive an email notification of the consolidation, and the consolidated violation will be listed on the My Findings page. Consolidating mitigation activities will also be available in Align; the specific mechanisms are still in development.
| 2/28/2020 2:14 PM |
| Align/BWise Functionality | NERC’s demonstration showed free form text boxes, will Align use freefrom text boxes or drop down boxes given NERC's goal is to conduct analytics using the data in Align? | Align will use a combination of dropdown and freeform text boxes. The examples were not all inclusive, and NERC anticipates still being able to conduct analytics (e.g., around trends related to specific standards, registration types, etc.).
| 2/28/2020 2:15 PM |
| Align/BWise Functionality | If Align is going to include free form text boxes, will NERC add comments within the instructions of the free form text boxes to remind industry that BCSI and other sensitive information should not be put in the tool? | We anticipate that this will evolve over time in partnership with registered entities. The ERO Enterprise will continue to work with registered entities to achieve the necessary balance between not entering sensitive information and merely stating “see locker” as an entry in Align (e.g., self-reports).
| 2/28/2020 2:20 PM |
| Align/BWise Functionality | What are the rules for the data retention/destruction of data stored in and accessed by Align? What are the criteria for determining when data is “no longer needed”? | NERC is in the process of developing the data retention policies. Generally, the goal is to have an aggressive destruction policy so that evidence will be destroyed when no longer needed for CMEP activities (i.e., audit, enforcement actions, etc.).
| 2/28/2020 2:21 PM |
| Align/BWise Functionality | How will data be migrated from legacy tools to Align, and what will be the timing of migration in relation to Align Go-Live. | Migration of historical data wil be completed in stages, depending on the functionality in the given release of Align. For the first release, we will not be migrating data.
| 2/28/2020 2:21 PM |
| Align/BWise Functionality | When will materials be distributed to entities on the proposed changes to the content of data (i.e. mitigation plans, self-reports) that are expected to be input into Align? | This is evolving as we develop the tools, which will require continued training and outreach to both industry and ERO Enterprise. Training for Release 1, which will address mitigation plans, self-reports, etc., is expected to begin in Q3, but timing is still being finalized based on travel restrictions and approach.
| 3/24/2020 5:00 PM |
| Align/BWise Functionality | How will the accounts for WPPI members transfer to the new system and will each of our members need to have separate accounts or can they managed under one WPPI account? Also, will I need to maintain OATI certificates any longer for these members? | You will need to create ERO Portal Accounts to gain access to the system. You should be able to register on behalf of your members, or they can registered individually, or both (each member might have accounts, and your account might access all your members). It largely will depend on your arrangement with your members. You will not need OATI certificates for Align, but if you use or access OATI for other services, you may need to retain those certificates for those other uses.
| 4/10/2020 4:06 PM |
| Align/BWise Functionality | A perusal of online Align™ project documentation suggests that “relevant” CDMS information may or will be migrated to the Align™ Evidence locker. Clarify this plan and provide insight on how the categorization and migration of relevant info will occur. | NERC has been working with CMEP staff from both the Regions and NERC to identify what information is "relevant" and how/when/if it will be migrated. Regions may also choose to extract historic information from their current implementations and store them on-site for reference. The ERO Enterprise is still in the process of identifying the data that will be migrated, and additional information will be provided when that is finalized.
| 4/10/2020 4:09 PM |
| Business Process Improvements | How much consistency has been created as a result of the work on the Align project? | The Align project has created an opportunity for the ERO Enterprise to provide a consistent user experience for all regions and registered entities. The project team conducted process harmonization workshops with representation from each region, looking at all the CMEP business processes, identifying common ground and efficiency opportunities. As of Release 1, there were more than 30 process improvements identified for efficiency and commonality in the end-user experience. | 5/21/2019 11:36 AM |
| Business Process Improvements | Will the Rules of Procedures change as a result of process harmonization? | The business process improvements identified for Release 1 provided an opportunity to identify potential updates to the Rules of Procedures. These updates were provided to NERC Legal for consideration. Not all of these changes would require changes to Align, but to the extent they do, and they are submitted to and approved by FERC, the Align software will be enhanced, and regions will be notified and trained on the updates. Release 1 will be launched with the functionality to support the Rules of Procedures as they exist today. | 5/21/2019 11:58 AM |
| Business Process Improvements | Will self-Logging be impacted/accommodated in new system? | Yes, self-logging functionality will be in Release 1 of Align. Rather than entering data into a spreadsheet and sending it to the region, Registered Entities will enter self-logs directly into the Align system. | 5/21/2019 1:37 PM |
| Business Process Improvements | Should we hold off on reporting new violations until the new system is available? | Entities should continue to report new violations in the current systems. The project team will make a decision regarding migration of those violations into Align closer to the launch date. | 5/21/2019 1:37 PM |
| Business Process Improvements | Will entities be able to manage individual employee access without contacting NERC or their Region? | Yes, the ERO Enterprise has moved to a distributed administration model, where one or more "entity administrators" will manage access for that registered entity’s users via the ERO Portal. This is the same access management platform we use for the majority of our latest ERO Applications (such as TEAMS, and MIDAS) and Extranet sites. Registered Entities will also use this system to manage access to the new CORES registration system. | 5/21/2019 1:38 PM |
| Business Process Improvements | What is the process for an audit from start to completion for both the regional entity and registered entity? | Align and the lockers are tools used during the audit process. The audit processes are governed by the NERC ROP and Align will support the ROP requirements.
| 2/7/2020 2:07 PM |
| Business Process Improvements | Are the requirements going to be too onerous for the regional entities to perform their CMEP obligations? | While we expect to be able to perform CMEP obligations, these changes may impact resources, so this is an ongoing consideration in light of this enhancement to security.
| 2/7/2020 2:10 PM |
| Change Management and Business Readiness | What criteria will be used to determine whether or not the system is ready to go live? | Quality is foremost in the minds of the project team, and there are several pieces in place to ensure that; namely, ongoing build reviews during construction, a "tabletop" exercise with the regional SMEs to simulate the Day 1 experience, and "go/no-go" criteria that focuses on the registered entity experience, regional experience, and NERC (in that order). When making the decision to launch, the team will prioritize consideration of any impacts on registered entity staff first; then the impacts on Regional Entity staff; and last, the impact on NERC staff. | 5/21/2019 1:47 PM |
| Legacy Systems (webCDMS, CITS and CRATS) | Will the Align tool replace the current systems (webCDMS, CITS and CRATS)? | Yes, the Align tool will replace these systems once all the planned releases are completed. The business case for the project is based on sunsetting these legacy systems to reduce the costs for the ERO Enterprise from supporting three systems (webCDMS, CITS and CRATS) to supporting one platform (Align). | 5/21/2019 1:41 PM |
| Legacy Systems (webCDMS, CITS and CRATS) | What will happen to the historical data? | The current plan for historical data is two-fold: migrate relevant historical data from the legacy systems into Align for analytical purposes, and provide an "archive" of other data that can be referenced in the future. The details are still being developed. | 5/21/2019 1:42 PM |
| Legacy Systems (webCDMS, CITS and CRATS) | When will CITS/CDMS be retired, and no longer used for accessing historical data? | Accessing historical data via the legacy systems is still in discussion. There is no date yet, but systems most likely will be up and available until at leaset sometime in 2020. Discussions are happening with the vendors of these systems (OATI and Guidance) to provide support for this transition. | 5/21/2019 1:43 PM |
| Ongoing Support | Who will provide technical support for the new tool once the project is completed? | The Align tool will be supported by NERC IT and the BWise support team. NERC has signed a multi-year maintenance and support agreement with BWise to ensure system availability and uptime, and to maintain the environment with up-to-date patches and security updates. The NERC IT team will support the regions with requested enhancements, defect resolution, and future releases. | 5/21/2019 1:45 PM |
| Ongoing Support | What is the specified window for planned outages for Align and lockers? What is the mechanism for unplanned outages? | Planned outages of both Align and the ERO Enterprise Locker are scheduled for low-activity (i.e. off-hour) periods of time, and are scheduled during an annual planning period, taking into consideration holidays and business cycles. All efforts are made to minimize operational impacts, and notifications to stakeholders are sent at minimum one week before the planned outage. This notification window will be extended as circumstances warrant. Both planned and unplanned outages are drawn into a rigorous change control process, with increased and business impact analysis additional approvals attached to unplanned outages. Stakeholders will be given as much notice as possible of any unplanned outages, and every effort will be made to perform unplanned outages during off-hours.
| 2/7/2020 1:26 PM |
| Ongoing Support | Who will own Align and the ERO Enterprise Locker and be responsible for their maintenance? | BWise owns the Align system, and U.S.-only-based BWise support will handle application maintenance (patching, platform services, etc.). AWS support services will be responsible for infrastructure maintenance. NERC owns and operates the ERO Enterprise Evidence Locker.
| 2/14/2020 12:15 PM |
| Ongoing Support | How will software updates be handled? | BWise is responsible for implementing all updates to the Align software. Updates go through a rigorous release management process, in which modifications are tested for vulernabilities that are remediated before deployment. BWise will work with NERC to determine timing and coordination of all software updates and patches and verify the identity and integrity of software source, in accordance with the current language in CIP-010-3. NERC will be responsible for updating the ERO Evidence Locker environment. All patches/updates will be brought into the environment through a secure sFTP endpoint, and all changes, including vulernability testing and verification of the indentity and integrity of the software source, will be validated before installation.
| 2/14/2020 12:16 PM |
| Secure Evidence Locker Functionality | How many lockers would a large utility with multiple registrations in multiple regions have? For example an entity that operates in three Regions and has 9 registrations with unique NCR IDs. | The entity in this example could choose to use the ERO Enterprise Locker for all its entities. Or, the entity could choose to create one or more of its own lockers so long as they meet the ERO Enterprise usability and access criteria.
| 1/31/2020 3:53 PM |
| Secure Evidence Locker Functionality | In responding to RFIs in past audits, a conference call would be set up so the entity could explain their evidence (tell their story) to the auditor. Can information in the evidence locker be reviewed by the CEA and Registered Entity at the same time? | The conference calls and collaboration with the Regional Entity should continue; however, the registered entity will not have view access to files within the evidence locker. Instead, the registered entity will need to look at their own copy of the submitted file that remains in their possession. CMEP staff will use references to provided evidence that may be in question. For example, "Please see line three of the file you submitted to the Locker entitled "AssetListOne.xls."
| 1/31/2020 3:55 PM |
| Secure Evidence Locker Functionality | The ERO Evidence Locker will be protected with Public Key Infrastructure (PKI). what type of PKI is being used? | To safeguard security aspects of the Evidence Locker, we will not disclose the type of PKI infrastructure being used in the environment. We are willing to discuss this under an appropriate non-disclosure agreement. | 1/31/2020 4:25 PM |
| Secure Evidence Locker Functionality | Is there an option to create a "private" locker? | Registered entities can create their own locker. The entity provided locker must meet the defined functionality requirements.
| 2/7/2020 1:31 PM |
| Secure Evidence Locker Functionality | The webinar appeared to suggest that data in the ERO Enterprise Locker is destroyed at log out from auditors. Is this correct? If so, what happens to the data from an unexpected separation, such as during a power outage or accidental logout? | When they log in, auditors are provisioned a workspace wherein evidence can be viewed from the locker and analysis performed. Any notes and results generated within this workspace (e.g., network analysis results and the CIP Evidence Request tool and its notes) can be placed into the locker. Once an auditor logs out, the workspace is recycled, but the evidence and notes in the locker persist.
| 2/7/2020 1:53 PM |
| Secure Evidence Locker Functionality | Are there limitations on file name when submitting evidence to the ERO Enterprise Locker, e.g. character count or special characters? | There will be restrictions on both file name length and special characters. As we progress through detailed design and implementation, we will identify and publish those restrictions, but they will be similar to those found in NTFS file systems.
| 2/7/2020 2:01 PM |
| Secure Evidence Locker Functionality | Will past evidence be deleted upon new evidence being uploaded? What if there is human error while uploading evidence, how does an entity tell the CEA to disregard currently uploaded evidence? | The Regional Locker Custodian will be able to assist registered entities with inadvertent data uploaded issues.We don’t anticipate that our ability to work with entities would be materially different than in similar situations that may arise today. In additional, the locker will retain previous versions of submitted evidence.
| 2/7/2020 2:02 PM |
| Secure Evidence Locker Functionality | Should entities rename evidence so that there is no link (clue) to what it is? | There is no expectation to rename evidence files; however this is up to the registered entity and they will need to clearly reference the correct files in the Align system (see file mapletree.pdf).
| 2/7/2020 2:03 PM |
| Secure Evidence Locker Functionality | Should sensitive information, such as firewall rules, be uploaded to Align or the ERO Enterprise Locker? | Firewall configuration files should be uploaded to the ERO Enterprise Locker. Regional entity CMEP staff will document their work papers in Align without duplicating the sensitive information itself (like demonstrated in the examples during the webinar).
| 2/7/2020 2:04 PM |
| Secure Evidence Locker Functionality | When data owners upload documents in the vault what format should the documents be in? | The format for the files is not expected to change from current practices that support an efficient review of the evidence.
| 2/7/2020 2:08 PM |
| Secure Evidence Locker Functionality | Can evidence only be read once by the auditors? If so, how long will each evidence ticket exist after an auditor unlocks an Entity’s locker? Does this imply that the Registered Entities may need to submit evidence multiple times if human-error occurs? | The evidence will remain in the locker for a defined period of time (e.g., until it is determined that it is not needed for further CMEP processing). During that time, the auditors may access the data as often as necessary. There may be circumstances in which a registered entity may need to re-submit evidence if it is inadvertenly deleted (this is the tradeoff for the enhanced security
| 2/7/2020 2:08 PM |
| Secure Evidence Locker Functionality | How will a registered entity retrieve files that it has uploaded to the ERO Enterprise Locker? How will the registered entity delete the files and when can the filed be deleted (at any time, before or after they have been viewed)? | The entity will not have the ability to retrieve files that have been uploaded to the ERO Enterprise Locker. If files were inadvertently uploaded, the entity would need to contact the Regional Locker Custodian to have the files removed. The ERO Enterprise will implement aggressive data destruction policies and processes to ensure data is destroyed when no longer needed.
| 2/7/2020 2:09 PM |
| Secure Evidence Locker Functionality | Will Align be considered a BSCI repository if Regional Entities or registered entities update BSCI information in the workflow? | It is not expected that an entity or NERC designate Align or the ERO Enterprise Evidence Locker as a designated location of BES Cyber System Information.
| 2/14/2020 12:24 PM |
| Secure Evidence Locker Functionality | In the webinar, it was mentioned that all evidence is supposed to placed in a evidence locker, 'unless prohibited by a standard'. Does this apply to any BES Cyber System Information? If not, how is an Entity supposed to comply with NERC CIP-004 R4.1.3? | The exclusion was intended for standards such as CIP-014 where it states evidence will be retained at the Transmission Owner’s and Transmission Operator’s facilities. Nonetheless, it is not expected that an entity designate its own evidence locker or the ERO Enterprise Evidence Locker as a designated location of BES Cyber System Information pursuant to CIP-004-6, Requirement R4, Part 4.1.3. As such, the requirement to implement a process to authorize access to designated storage locations for BES Cyber System Information does not apply to access to either evidence locker.
| 2/14/2020 12:25 PM |
| Secure Evidence Locker Functionality | NERC would be considered a “vendor” (as that term is used in the standard) hosting a registered entity’s information in the cloud in the proposed CIP-011-3 R1? | It is not expected that an entity designate its own or the ERO Enterprise Evidence Locker as a designated location of BES Cyber System Information.
| 2/14/2020 12:25 PM |
| Secure Evidence Locker Functionality | How will registered entities receive comments on their documentation since auditors have read-only access to the data lockers and there is no two-way communication? | The ERO Enterprise will continue to collaborate with entities while recognizing the need for changes to how that is accomplished today. The RE can communicate with the entity either verbally or using the request for information process through Align.
| 2/14/2020 12:27 PM |
| Secure Evidence Locker Functionality | Will evidence in the locker be destroyed upon receipt of the final report from the auditors? | Evidence will be destroyed when no longer needed for CMEP activities (i.e. audit, enforcement actions, etc.).
| 2/14/2020 12:28 PM |
| Secure Evidence Locker Functionality | Is it possible for the data owner to set limits of documents sent to the data locker? For example, can we determine the duration of a documents’ availability in the locker & can we make the documents downloadable? | No, how long the evidence in the ERO Enterprise Evidence Locker will be available to CMEP staff will be established through pre-defined retention policies. The files will not be downloadable as the enviroment will be configured to prevent the exfiltration of any files (e.g., copying files to a local laptop).
| 2/28/2020 2:14 PM |
| Secure Evidence Locker Functionality | If an entity opts to set up their on-premise evidence locker, is there an image file that can be used to standup the locker or do they need to build this locker from the ground up? | The entity will need to design its own evidence locker from the ground up. The ERO Enterprise is developing a locker for all registered entities to use, unless they individually opt to create their own. The specific business, security, and infrastructure decisions about a registered entity are best left to them, and we are only requiring that a registered entity’s locker meet specific usability and access criteria to facilitate CMEP staff not having to use many different processes. NERC will provide the usability and access criteria, which will include specific software and data manipulation requirements.
| 2/28/2020 2:18 PM |
| Secure Evidence Locker Functionality | How will NERC proactively manage or mitigate data exfiltration from the Evidence Locker? | Registered entity users submitting evidence into the ERO Enterprise Evidence Locker will have no ability to view the evidence submitted, and therefore have no capability of exfiltrating the data. CMEP personnel will have access to the evidence through a virtual desktop enviroment only, which will be configured to prevent the exfiltration of any files (e.g., copying files to a local laptop).
| 2/28/2020 2:18 PM |
| Secure Evidence Locker Functionality | Is the data deleted, wiped, or reimaged? | Data scheduled for destruction will be digitally shredded. Digital shredding removes deleted files and then overwrites the file’s addressable locations with a character, then its complement, and finally a random character, rendering those files irretrievable.
| 2/28/2020 2:19 PM |
| Secure Evidence Locker Functionality | If a registered entity loads information into the data locker with a timed VPN and the VPN is destroyed after the session, is the data gone? | Registered entities will not access the Evidence Locker through a VPN connection, access will be through secure web brower connectivity.
| 2/28/2020 2:19 PM |
| Secure Evidence Locker Functionality | Is it possible for the data owner to set limits of documents sent to the data locker? For example, can we determine the duration of a documents’ availability in the locker & can we make the documents downloadable? | No, how long the evidence in the ERO Enterprise Evidence Locker will be available to CMEP staff will be established through pre-defined retention policies. The files will not be downloadable as the enviroment will be configured to prevent the exfiltration of any files (e.g., copying files to a local laptop).
| 2/28/2020 2:20 PM |
| Secure Evidence Locker Functionality | What is the timeframe for NERC to have definitive criteria, security and technical requirements, for data lockers (NERC, Regional, or registered entity) and what is the expectation and schedule to have entity owned data lockers set up? | NERC is developing and implementing an ERO Enterprise locker to be the default option for registered entities to submit evidence in support of CMEP activities. To the extent a registered entity develops and implements their own locker, the registered entity may use that after it is validated for use and meets the usability and access criteria that the ERO Enterprise developed. This criteria will be published at the end of March. Any planning, budgeting, or timing considerations relative to a registered entity’s development of their own locker are most appropriately left to the individual registered entity.
| 3/24/2020 4:52 PM |
| Secure Evidence Locker Functionality | If a registered entity uses the ERO Enterprise data locker, can the registered entity encrypt files prior to uploading them rather than NERC (provide a public key to the regulator to unlock the data - entity keeps the private key for internal use only)? | Entities are not required to provide additional encryption of files as it would further complicate the process.
| 3/24/2020 4:58 PM |
| Secure Evidence Locker Functionality | Will NERC use “federated” key arrangement, giving NERC one key that will open any and all data lockers? If the diagram below correctly sets forth the Federation concept, how will NERC provide security around the “Identity Protocol”? | The ERO Enterprise Locker will implement federated authentication services. There are several mechanisms in place to ensure these identities are secured. The provider is located within a Microsoft GCC High (fedRAMP High compliant) environment, only accessible by select NERC IT staff. All access requires multi-factor authentication, further ensuring identities cannot be compromised. In addition, all communications between relying parties and identity provider are encrypted.
| 3/24/2020 4:58 PM |
| Secure Evidence Locker Functionality | Is evidence destruction automatic or manual? | Evidence destruction will be scheduled, based on pre-defined retention policies, and performed automatically. There will be override mechanisms to change retention policies for and manually trigger the destruction of individual pieces of evidence.
| 3/24/2020 4:59 PM |
| Secure Evidence Locker Functionality | Will the lockers be partitioned? Set up separate partitions within the locker, i.e. Reports, Risks, Incidents, Controls, Mitigations? (Assumed that "Entity X" will only have access to their own data) | There will be partitions within the locker environment to segregate evidence by registered entity and by engagement (e.g., audit/discovery method/self-report). Entities will be responsible for appropriately tagging evidence (i.e., associating it with a engagement/discovery method) when it is submitted, but entities will not have access to any evidence within the locker.
| 3/24/2020 4:59 PM |
| Secure Evidence Locker Functionality | Could you offer any commentary on how audit interactions between Regional Entities and Registered Entities will be impacted? Will the data locker be the sole means of information exchange? | The ERO Evidence Locker will not be the sole means of information exchange. Evidence lockers will be used to securely provide access to registered entity evidence, which are artifacts created by a registered entity that can be used to demonstrate compliance with NERC Reliability Standards, completion of mitigation activities, etc. Align will be used to collect or produce information needed to execute the CMEP (e.g., Self-Report information, Mitigation Plan information, Audit work papers, Compliance Oversight Plans, and Notifications).
| 3/24/2020 5:01 PM |
| Secure Evidence Locker Functionality | It was mentioned that the Evidence locker will reside an evidence room. Does this mean that all lockers from every entity will reside in this room or will entity lockers be divided in groups in separate rooms? | There will be a private locker within the Enterprise Information Management system (i.e., the evidence room) for each entity and each entity engagement (e.g., self-reports, audit, enforcement action, etc.). CMEP staff will only have access to the lockers within their area of responsibility, and access will be managed based on each engagement.
| 5/4/2020 3:04 PM |
| Secure Evidence Locker Functionality | Why don't we consider time blocking during non-business hours instead of 24/7 availability? Anyone that wanted to access after hours would need to be approved to do so. | We recognize that the ERO Enterprise CMEP staff reviewing information related to CMEP activities frequently have a need to review information during non-traditional hours. However, the evidence locker has additional controls intended to address access, such as geo-blocking, intrusion detection, and behavioral analysis capabilities.
| 5/4/2020 3:06 PM |
| Secure Evidence Locker Functionality | Will the ERO Enterprise provide information on who touched my documents, and what CMEP staff did with them? | From an audit perspective, this is not something that is provided today, is not appropriate under standard industry practices, and would be an overwhelming technical challenge. There will be less costly and more effective controls in place to detect inappropriate access to the data, including multiple user access controls, behavioral analysis capabilities, and restrictions to the egress of information from the environment. In addition, in the event of a data breach, any affected entity would be notified.
| 5/4/2020 3:07 PM |
| Secure Evidence Locker Functionality | We are working to get our evidence locker built per the Align phase 1 schedule. What is the plan for the lockers in 4q2020/1q2021? Will all functionality be tested or a subset of functionality? If not all, what will be tested? | The ERO Enterprise is planning to test all functionality of the ERO Enterprise Secure Evidence Locker in Q4 2020 and train ERO Enterprise staff in Q1 2021. Entity-hosted evidence lockers will be assessed for functionality as Regional Entities are notified and as resources are available.
| 7/20/2020 8:46 AM |
| Secure Evidence Locker Functionality | On the requirement for a registered entity SEL provide remote access users an interactive Microsoft Windows 10 64-bit environment: Could a Registered Entity use Windows Server (2012 or later) with terminal services to provide the same function? | The reason for the specification is two fold: 1) Ease of use. A consistent look and feel for CMEP staff to perform their work. 2) Application functionality. The ERO Enterprise will test for application functionality, so if the required applications and correct versions operate on a Windows 2012 server environment, it would be acceptable.
| 9/2/2020 2:40 PM |
| Security | Will there be various levels of access/permissions with Align such as a “view only” login for someone to monitor CMEP activity however not able to submit data? | Yes. With this initial release, registered entities have the following access levels: Read: can view information, but not create, edit, or submit for processing Editor: can create and edit items, but not submit for processing Submitter: can create, edit, and submit an item for processing Additionally, certain activities will be assigned to users based on their role (e.g., an RFI is by default assigned to the PCC).
| 1/31/2020 3:56 PM |
| Security | I work for a German company and our emails come from a German IP address. What will we need to do to not be blocked? | There will be an exception process by which access will be granted to specific IP addresses based on justifiable circumstances. The process will involve presenting justification to the ERO Enterprise for consideration. | 1/31/2020 4:02 PM |
| Security | Has the project as a whole taken a quantum-safe approach to encryption and other potential concerns? | Yes, both Align and the Evidence locker will use symmetric key encryption with sufficiently large, randomized keys as to be quantum-resistant in the current technological landscape. The ERO Enterprise is closely following NIST efforts around Post-Cryptography Standardization, as described in NISTIR 8240, in order to protect against evolving quantum threats. | 1/31/2020 4:04 PM |
| Security | Multi-factor authentication is required to access both Align and the ERO Enterprise Evidence Locker. What options does a user have for the second factor? (e.g. can the push be to the user’s company computer instead of a mobile phone?) | The second authentication factor will be restricted to either a request for confirmation via an app on a pre-registered mobile phone or tablet, or an automated voice call to a pre-provided telephone number that requires touch-tone acknowledgement. | 1/31/2020 4:05 PM |
| Security | Is the System Administrator of the ERO Enterprise Evidence locker able to access the Evidence? | System Administrators will not have access to the evidence contained within a locker, which is a highly secure, enterprise content management (ECM) system. Only regional locker custodians will have rights to grant and manage permissions within this ECM environment. | 1/31/2020 4:06 PM |
| Security | When evidence is uploaded to the ERO Enterprise Locker, the receipt email includes the hash. Is there any alerting when hash values changes for evidence? | While there is currently no plan for automating the comparison of hash values, this feature has been discussed and is a candidate for an enhancement release. | 1/31/2020 4:07 PM |
| Security | Who applies the file-level permissions to evidence submitted into the ERO Evidence Locker? | Regional staff, called Regional Locker Custodians, will apply permissions. | 1/31/2020 4:08 PM |
| Security | Please explain the concept of "Distributed Authorization" with it comes to granting permissions to the ERO Enterprise Locker. | The idea is that certain employees of the entity (called entity administrators) will have the ability to grant and revoke access to the ERO Enterprise Evidence Locker for other employees within their entity. | 1/31/2020 4:14 PM |
| Security | It was stated that “the privileged session server was on-premises and only physical access was allowed to the privileged session server. It was also stated that admins will access a secure URL of a privileged session server and MFA. Please clarify. | This was an inadvertent error on the slide. The privileged session server will only be accessible through physical presence. | 1/31/2020 4:24 PM |
| Security | What background checks and security training will NERC staff with access to the ERO Enterprise Locker be subject to? | All NERC staff undergo annual security training, and background checks are performed for all new hires. In addition, the principles of Separation of Duties and Dual Control applied to key management duties serve to further reduce the risk of insider threats.
| 2/7/2020 1:27 PM |
| Security | Will the registered entity be provided the list of individuals that have access to the ERO provided locker, and if so, how often will entities be notified of changes to the list? | Registered entities will have direct control over which individuals within their company have access to the ERO Enterprise Locker and can view that list at any time. The list of ERO Enterprise individuals with access to the locker will not be publically provided.
| 2/7/2020 1:29 PM |
| Security | What processes will be put in place in the event a NERC employee with access is terminated or moved to a position where access in not necessary? | Access to all resources is revoked immediately upon termination of an employee. In addition, all employees that change job responsibilities undergo a review of their entitlements and changes are made as appropriate.
| 2/7/2020 1:30 PM |
| Security | How often will the systems be patched, and to what levels? | Both Align and the ERO Enterprise Locker will be on a monthly patch schedule, unless there is a patch deemed critical enough to warrant an unscheduled outage (e.g., for a zero-day vulnerability). Environments are kept at current patch levels for critical and Important updates.
| 2/7/2020 1:30 PM |
| Security | Does Geo-blocking involve blocking all Countries except for those within the NERC footprint? | Yes, but we understand that for certain entities there may be exceptions because of foreign ownership, etc. (e.g., traffic routed through a German headquarters), as we indicated in response to a separate question.
| 2/7/2020 1:34 PM |
| Security | Can Align interface with Password Vault in case a registered entity uses NERC’s locker? | Users will use the same set of credentials to log into Align and the ERO Enterprise Locker. NERC issues and manages these credentials.
| 2/7/2020 1:49 PM |
| Security | Will the activity logs for the ERO Enterprise Locker be available to registered entities? | Activity logs will not be released to registered entities.
| 2/7/2020 1:51 PM |
| Security | What criteria and process has NERC used to vet the vendors that are part of the supply chain for Align and the data lockers? What supply chain risks have been identified and how have they been mitigated? | Each vendor is subject to the standard, NERC-led vendor risk assessment and mitigation of related risks. The details of NERC's risk assessments are confidential. Among the mitigation measures adopted in this case, NERC has implemented controls that prohibit all vendors from accessing the ERO Evidence Locker environment both physically and programmatically, and prevent all egress of data and communication from the SEL (the only exception being highly-restricted, outbound SMTP traffic). Additionally, controls are in place that restrict access to the Align software (encryption at the virtualization layer) and data in transit and at rest. All data is encrypted for both Align and the SEL, with NERC owning and possessing those encryption keys. Additionally, information related to CMEP processes will be separated between Align and the SEL, with complete isolation between the two systems.
| 2/14/2020 12:17 PM |
| Security | Will NERC abide by CIP-004 and CIP-011, in addition to other security controls for Align and the ERO Enterprise Evidence Locker? | NERC is designing these tools to be consistent with many standards, including our CIP standards. It is not expected that an entity designate the ERO Enterprise Evidence Locker as a designated location of BES Cyber System Information.
| 2/14/2020 12:18 PM |
| Security | Are there security mechanisms in place for the contacts and business roles of the Align Tool? | The Align tool implements role-based authorization, restricting access to contact and business role information to only those personnel with the appropriate entitlements.
| 2/14/2020 12:18 PM |
| Security | What is the minimum password complexity requirement of the Evidence Locker user account? i.e., length, symbols, numbers, upper case, lower case. Etc. | Password complexity must meet the following requirements: 10 characters in length and must contain at least 1 number, 1 uppercase letter, 1 lowercase number, and 1 special character (i.e., !, @, #, $, %, ^,&, *)
| 2/14/2020 12:19 PM |
| Security | Who will be performing "network cyber testing"? How often will they be performed? How long will logs be kept? | An independent, third-party vendor will perform cyber penetration assessments, which will include both black and grey-box testing, including the OWASP top 10. This testing will be part of the change management process and will be scheduled on a regular, quarterly basis.
| 2/14/2020 12:20 PM |
| Security | What kind of virus / malware protections are in place, and what vendor is being used? | Both Align and the ERO Enterprise Evidence Locker will have virus/malware protection. To safeguard security aspects of both environments, we will not disclose the type of anti-virus/malware protection or the vendor being used in the environments.
| 2/14/2020 12:21 PM |
| Security | Please explain 'regionally specific encryption'. | Regionally specific encryption refers to the concept that evidence will be encrypted using different keys, based on which regional CEA the evidence is being submitted for.
| 2/14/2020 12:21 PM |
| Security | Why is TLS 1.2 encryption being used rather than the more current TLS 1.3. | TLS 1.2 is being used in the Align system, with plans to move to TLS 1.3 on the solution roadmap. The ERO Enterprise Evidence Locker will use TLS 1.3.
| 2/14/2020 12:22 PM |
| Security | What type of encryption? How many layers? At what point is it encrypted? Who has the keys? | The Align system will implement both symmetric and asymmetric encryption. Data in transit will be encrypted utilizing TLS, while data at rest will be encrypted at the database layer and at the virtualization layer. NERC will own and manage the keys for the database layer encryption (no other party wil have access to those keys), while BWise will own and manage the keys at the virtualization layer. The ERO Enterprise Evidence Locker will encrypt data in transit and at rest at the file level (each file will be encrypted individually). NERC will own and manage all keys for the evidence locker.
| 2/28/2020 2:15 PM |
| Security | To enhance security, should lockers only be available during business hours and upon request rather than 24x7? | CMEP staff often access data and perform analysis during non-business hours to ensure data is reviewed or CMEP activities are completed on time. Therefore, data lockers must routinely be available during non-business hours.
| 2/28/2020 2:16 PM |
| Security | The access control policy for the evidence locker will be Write-Only for all entities and Read-Only for all auditors. Is this the correct understanding of the access control policy for the evidence locker? | All entities will have write-only privileges, while CMEP staff will have read-only capabilities for submitted evidence. CMEP staff will have the ability to create notes and capture the results of utilities used to analyze the evidence (e.g., NP-View) within the evidence locker. Only CMEP staff will have read-write permissions assigned for these notes/results.
| 2/28/2020 2:17 PM |
| Security | How often will external audits be completed on the Align tool and associated data locker(s)? | Independent, third-party audits will be performed on the ERO Evidence Locker on an annual basis. The Align solution will undergo a SOC2 Type II audit annually.
| 3/24/2020 4:51 PM |
| Security | Auditing of activities and logs on the system - Who will be doing this? | NERC IT will audit all activities and logs on the system.
| 3/24/2020 4:51 PM |
| Security | Who will be monitoring 24x7? | A trusted vendor will perform active monitoring, with NERC IT on-call for any immediate issues to be resolved.
| 3/24/2020 4:52 PM |
| Security | Data Lockers will require patching and other maintenance, making 24x7 availability unreasonable. How will NERC notify users during these maintenance periods and what is the expectation for registered entity’s if they need to conduct maintenance? | 24x7 availability is a general expectation that the locker is available all the time (i.e., not just during business hours, for example, or only Monday through Friday). We understand that downtime and maintenance will occur, resulting in the evidence locker not being available. Entities are expected to notify their CEA if their locker is unavailable. Likewise, NERC will notify PCCs when the ERO Enterprise Locker is unavailable.
| 3/24/2020 4:55 PM |
| Security | Will the access to the data locker need a single key entry or multikey access (companion key and C key)? If so, data owners should own the companion key. | This will be determined during low-level design discussions.
| 3/24/2020 4:56 PM |
| Security | How long will NERC keep data, logs? | Evidence (i.e., data) will be retained according to an aggressive retention schedule based on engagement. Log files will be retained for one year.
| 3/24/2020 5:00 PM |
| Security | If an entity classifies CMEP staff as contractors, corporate policy may require background checks and training. How will the ERO Enterprise staff comply with each entity's BCSI storage location "contractor" access policy? | It is not expected that an entity designate its evidence locker as a designated location of BES Cyber System Information. NERC also understands that an entity’s procedures for handling BSCI require all individuals who have access to BCSI to be fully vetted through Personnel Risk Assessments and training, among other things. The CIP standards do not specifically require these steps. If the entity has concerns as to how it will apply its vetting to ERO Enterprise CMEP staff, it could reevaluate its procedures as it applies to regulatory CMEP staff.
| 4/13/2020 2:17 PM |
| Security | The ERO Enterprise indicates that there is a 24X7 system monitoring, is this being done by a NERC System Operations Center? | A trusted vendor who monitors the SIEM logs 24/7 provides the SOC, and NERC staff is on-call 24/7 for any incidents requiring escalation.
| 5/4/2020 3:05 PM |
| Security | Will the project team perform a third-party assessment of the ERO SEL? | Yes, a third-party assessment is planned for the ERO SEL after construction and prior to go live. The
primary intent is assure the ERO SEL is configured to meet the NIST 800-171 security architecture framework and is operating effectively.
| 8/12/2020 9:54 AM |
| Security | Is NERC going to engage in a third-party (like Coalfire) to perform a vulnerability assessment on Align and provide the results to industry? | NERC is contracting an external,third-party vendor to perform an assessment of ERO SEL prior to go-live. The primary intent is assure that the ERO SEL is operating as designed within the 800-171 framework, and that those controls have been implemented correctly and are operating effectively.
The effort is currently in the RFP process, with the candidate vendor pool including recommendations from EEI and NERC security. The communications to industry are still being developed.
| 9/2/2020 2:42 PM |
| Stakeholder Engagement | Did NERC get input with regard to the entity experience before building the system? | Yes, NERC is engaged with the CCC’s Alignment Working Group to get feedback on what their experience will be. They have been shown screenshots of the system, and will also be able to provide feedback during user acceptance testing. | 5/21/2019 11:43 AM |
| Stakeholder Engagement | Will NERC include an MRC representative on the Steering Committee so that an industry perspective can be provided during these important discussions that impact industry and technology? If not, please explain why. | No, we have regularly and continually sought registered entity perspectives, and will continue to do so. The Steering Committee is a project management component internal to the ERO Enterprise.
| 2/7/2020 1:24 PM |
| Stakeholder Engagement | How will NERC share and report any vulnerabilities and incidents for Align and lockers? What is the process for notifying industry of incidents such disclosure, breach, etc. and response plan? | In the event of an incident, the ERO Enterprise will execute a pre-defined incident response plan, which includes procedures to direct effort in the following phases: Preparation, Detection and Notification, Containment and Eradication, Recovery, and Lessons Learned. The plan contains direction on assessing operational impact of the breach, reporting and communications with internal and external stakeholders (focusing on mitigation of legal, operational, and reputational risk), and contingency plans for operational recovery.
| 2/7/2020 1:25 PM |
| Stakeholder Engagement | Are there any additional administrative costs from NERC other than Registered Entity-own operational costs on setting up this locker? | At this time, NERC does not foresee imposing any administrative costs upon an entity seeking to build their own locker.
| 2/7/2020 1:32 PM |
| Technology | What is multifactor authentication (MFA) and how will it work? | Multi-factor Authentication (MFA) is a method by which a user is required to present more than one factor in order to log into the system. When a user logs into the system they will be required to provide a password and then the system will send a notification to either a user’s phone or email address. Once a user acknowledges the notification, they will be logged into the system.
When a user logs into the system they will be required to provide a password (what you know) and then the system will send a notification to either a user’s phone or email address (what you have). Once a user acknowledges the notification, they will be logged into the system. | 5/21/2019 1:39 PM |
| Technology | Where will Align be hosted? | The Align solution will be running on NERC-dedicated private (single-tenant) servers, on hardware hosted by a fedRAMP-certified cloud services provider (CSP). | 5/21/2019 1:39 PM |
| Technology | Will there be an API to extract entity’s data so entities can generate their own trends? | The Align tool has robust reporting capabilities that allow for users to export information from reports to perform external analysis. While we do not plan to give registered entities the ability to invoke API methods directly, we are exploring how to give registered entities the ability to create their own reports using their own data in the future. Prior to giving a user this capability, registered entities will need to take a training course on how to use the built-in reporting functions of the Align system. We will announce more about these features and others as the Align tool continues to mature. | 5/21/2019 1:40 PM |
| Technology | Does Geo-blocking involve blocking all Countries except for those within the NERC footprint? | Yes,
geo-blocking will restrict access to only those countries that are involved
in ERO Enterprise CMEP activities. | 1/31/2020 4:01 PM |
| Technology | Please provide information on the cloud hosting locations, as well as any concerns over data sovereignty laws with information stored in other countries. | The Align solution will be hosted in the continental United States. | 1/31/2020 4:03 PM |
| Technology | Is the Align tool hosted on a cloud server? | The Align infrastructure is provided by a fedRAMP-certified cloud services provider, while the application and other services are installed on a private VLAN within this infrastructure. The virtualization layer of the solution and the application data will be encrypted. However, NERC owns and operates the ERO Enterprise Evidence Locker.
| 5/4/2020 3:05 PM |
| Training | Will I need to train my registered entities for Day 1? | Yes, registered entities should be trained to use the system on Day 1. The plan is to migrate the appropriate data and cutover from legacy systems to the Align tool on Day 1, and not use the legacy systems for Release 1 functions from that point forward. The project team is providing the training materials for the regions to use to train their registered entities. | 5/21/2019 1:45 PM |
| Training | Will training be completed in a demo environment or the real system environment? | NERC will conduct training in separate training environment that will simulate the production environment. The training system will have the same core functionality as the production system. | 5/21/2019 1:46 PM |
| Training | How will the Release 1 delay impact Align training? |
The Align project team will work with regional staff to update the Release 1 training schedule. While exact dates are still being determined, training will likely be completed in Q1/Q2 2020. The Align project team will use the remainder of Q4 to refine training materials and work with the regional project team members to ensure that all impacted Align users are prepared for the Release 1 launch. When the final schedule is published, there will be ample time to register for training. | 8/29/2019 4:19 PM |