Strategic planning for CIP Standard version changes is important to ensure continuing compliance within your organization. The fourth and fifth version Standards are currently in final draft stage and are available from NERC during the formal comment period.
With significant changes to the NERC CIP Standards anticipated for the upcoming Standard fifth version, it is important for your organization to begin a process of strategic planning to ensure an organized and efficient transition to new standard requirements.
CIP Standard Version 4
The fourth version of the CIP Standard includes minor changes to several requirements in this Standard version:
CIP-002-4 includes specific criteria for the identification of critical assets, and will require all responsible entities to update their policies and procedures defining asset identification.
Additionally, the fourth version eliminates the requirement to develop an organization’s individual “Risk-Based Assessment Methodology” because of the newly provided criteria. WorkForce Planning can guide your organization through revising and improving your policies and procedures in support of these version changes.
CIP Standard Version 5
The fifth version of the CIP Standard includes several dramatic changes to all of the cyber security requirements:
CIP-002-5 requires responsible entities to identify critical “systems” instead of “assets,” a significant change that will compel many organizations to seek professional consulting services to ensure full compliance is maintained.
In addition, CIP-004-05 introduces the requirement for specific CIP Role-Based Training discussed here.
CIP-010-05 is a new CIP Standard, and unifies previous standard requirements regarding configuration management and vulnerability assessment. CIP-011-05 is also a new CIP Standard, and enhances existing information protection requirements.