Project_2020-03_Supply_Chain_Low_Impact_Revisions

 

​​Related Files

Status
The comment period, initial ballot, and associated Violation Risk Factor/Violation Severity Level non-binding poll for reliability standard CIP-003-X - Cyber Security — Security Management Controls concluded 8 p.m. Eastern, Monday, October 11, 2021. The comments and ballot results can be accessed via the links below. The drafting team will review all responses received and determine the next steps of the project.

Project 2016-02 (Virtualization) and Project 2020-03 (Supply Chain) are both making modifications to CIP-003. The Supply Chain team is using
"-X" in place of the version number, and Virtualization used "-Y". The version number will be assigned upon adoption by the NERC Board of Trustees.

​Background
In its final report accepted by the NERC Board in May 2019, NERC documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards and recommended actions to address those risks. NERC staff recommended further study to determine whether new information supports modifying the standards to include low impact BES Cyber Systems with external connectivity by issuing a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure.

The Board approved the formal issuance of this data request on August 15, 2019. NERC collected the data from August 19 through October 3, 2019. A final report, Supply Chain Risk Assessment, was published in December 2019.  The report recommended the modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity.  Further, industry feedback was received regarding this recommendation at the February 2020 NERC Board meeting through MRC Policy Input.

After considering policy input, the NERC Board adopted a resolution to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Standard(s) Affected – CIP-003-8

Purpose/Industry Need
This project will address the NERC Board resolution adopted at its February 2020 to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Subscribe to this project's observer distribution list
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2020-03 Supply Chain Low Impact Revisions Observer List” in the Description Box.

​