compliance monitoring and enforcement program (cmep ... cmepac final agenda... · make every...

Meeting Agenda Compliance Monitoring and Enforcement

Program (CMEP) Advisory Council

March 4, 2020 9:00 a.m. to 3:00 p.m. Central

MRO Corporate Offices, King Conference Center St. Paul, MN 55102

Meeting Agenda – CMEP Advisory Council – March 4, 2020

VIDEO AND AUDIO RECORDING

Please note that Midwest Reliability Organization (MRO) may make a video and/or an audio recording of this organizational group meeting for the purposes of making this information available to board members, members, stakeholders and the general public who are unable to attend the meeting in person.

By attending this meeting, I grant MRO:

1. Permission to video and/or audio record the meeting including me; and2. The right to edit, use, and publish the video and/or audio recording.3. I understand that neither I nor my employer has any right to be compensated in connection with the

video and/or audio recording or the granting of this consent.

of 49


MRO ORGANIZATIONAL GROUP GUIDING PRINCIPLES

These MRO Organizational Group Guiding Principles complement charters. When the Principles are employed by members, they will support the overall purpose of the organizational groups.

Organizational Group Members should:

1. Make every attempt to attend all meetings in person or via webinar.

2. Be responsive to requests, action items, and deadlines.

3. Be active and involved in all organizational group meetings by reviewing all pre-meeting materials andbeing focused and engaged during the meeting.

4. Be self-motivating, focusing on outcomes during meetings and implementing work plans to benefit MROand MRO’s registered entities.

5. Ensure that the organizational group supports MRO strategic initiatives in current and planned tasks.

6. Be supportive of Highly Effective Reliability Organization (HEROTM) principles.

7. Be supportive of proactive initiatives that improve effectiveness and efficiency for MRO and MRO’sregistered entities.

of 49


Agenda Item 1 Call to Order

Carl Stelly, Chair a. Determination of Quorum and Introductionsb. Standards of Conduct and Anti-Trust Guidelinesc. Robert’s Rules of Order

2 Advisory Council Logistics Desirée Sawyer, CMEP Advisory Council Staff Support

a. Collaboration Siteb. Work Plan/Action Itemsc. Minutesd. Self-Certification Worksheet Review

3 Work Plan Updates Carl Stelly, Chair

a. Status of all Work Plan Itemsb. Survey to Primary Compliance Contacts and 2019 CMEP Conference Registrantsc. CMEPAC Monthly Calld. Webinars 2020e. Newsletter Articles 2020f. Vote to Recommend to OGOC for Approval

Break 10:30 a.m. 4 2020 CMEP Conference Planning

Carl Stelly, Chair

Lunch 12:00 p.m. 5 CORES Update

Russ Mountjoy, Manager, Registration, Certification and Standards

6 Standing Reports a. NERC Compliance and Certification Committee (NERC CCC)

Jami Young, MRO Representative on NERC CCCb. NERC Standards Review Forum (NSRF)

Joe DePoorter, Chair NSRF, CMEPAC Memberc. Mid-Continent Compliance Forum (MCCF)

MCCF Memberd. SPP RC Working Group (SPP-RCWG)

SPP-RCWG Member

Break 2:00 p.m.

7 Align Project Update Desirée Sawyer, MRO Align Change Agent

8 Work Plan Breakout Groups Carl Stelly, Chair

9 Review of Action Items Desirée Sawyer, CMEP Advisory Council Staff Support

10 Recommendation to OGOC on CMEPAC Nominations Carl Stelly, Chair

11 Other Business and Adjourn Carl Stelly, Chair

of 49


AGENDA 1 Call to Order

a. Determination of Quorum and IntroductionsCarl Stelly, Chair

Name Role Company Term Carl Stelly, Chair Chair Southwest Power Pool, Inc. 12/31/2021

Terri Pyle, Vice Chair Vice Chair Oklahoma Gas and Electric 12/31/2020

Andy Crooks Member Saskatchewan Power Corporation 12/31/2022

Eric Ruskamp Member Lincoln Electric System 12/31/2020

Fred Meyer Member The Empire District Electric Company 12/31/2020

Joseph DePoorter Member Madison Gas & Electric 12/31/2021

Josh Roper Member Evergy 12/31/2022

Mahmood Safi Member Omaha Public Power District 12/31/2022

Mark Buchholz Member Western Area Power Administration 12/31/2022

Mike Smith Member Manitoba Hydro 12/31/2021

Olivia Russell Member NextEra Energy 12/31/2020

Paul Mehlhaff Member Sunflower Electric Power Cooperative 12/31/2022

Sharon Koller Member American Transmission Company 12/31/2021

Thad Ness Member Northern States Power Company d/b/a Xcel Energy 12/31/2020

Tracey Stewart Member Southwestern Power Administration 12/31/2021

of 49


AGENDA 1 Call to Order

b. Standards of Conduct and Anti-Trust GuidelinesCarl Stelly, Chair

Standards of Conduct Reminder: Standards of Conduct prohibit MRO staff, committee, subcommittee, and task force members from sharing non-public transmission sensitive information with anyone who is either an affiliate merchant or could be a conduit of information to an affiliate merchant.

Anti-trust Reminder: Participants in Midwest Reliability Organization meeting activities must refrain from the following when acting in their capacity as participants in Midwest Reliability Organization activities (i.e. meetings, conference calls, and informal discussions):

• Discussions involving pricing information; and• Discussions of a participants marketing strategies; and• Discussions regarding how customers and geographical areas are to be divided among

competitors; and• Discussions concerning the exclusion of competitors from markets; and• Discussions concerning boycotting or group refusals to deal with competitors, vendors, or suppliers.

of 49


AGENDA 1 Determination of Quorum c. Robert’s Rules of Order

Carl Stelly, Chair

Parliamentary Procedures. Based on Robert’s Rules of Order, Newly Revised, Tenth Edition

Establishing a Quorum. In order to make efficient use of time at MRO organizational group meetings, once a quorum is established, the meeting will continue, however, no votes will be taken unless a quorum is present at the time any vote is taken.

Motions. Unless noted otherwise, all procedures require a “second” to enable discussion.

When you want to… Procedure Debatable Comments Raise an issue for discussion

Move Yes The main action that begins a debate.

Revise a Motion currently under discussion

Amend Yes Takes precedence over discussion of main motion. Motions to amend an amendment are allowed, but not any further. The amendment must be germane to the main motion, and cannot reverse the intent of the main motion.

Reconsider a Motion already resolved

Reconsider Yes Allowed only by member who voted on the prevailing side of the original motion. Second by anyone.

End debate Call for the Question or End Debate

No If the Chair senses that the committee is ready to vote, he may say “if there are no objections, we will now vote on the Motion.” Otherwise, this motion is not debatable and subject to majority approval.

Record each member’s vote on a Motion

Request a Roll Call Vote

No Takes precedence over main motion. No debate allowed, but the members must approve by majority.

Postpone discussion until later in the meeting

Lay on the Table Yes Takes precedence over main motion. Used only to postpone discussion until later in the meeting.

Postpone discussion until a future date

Postpone until Yes Takes precedence over main motion. Debatable only regarding the date (and time) at which to bring the Motion back for further discussion.

of 49


Remove the motion for any further consideration

Postpone indefinitely Yes Takes precedence over main motion. Debate can extend to the discussion of the main motion. If approved, it effectively “kills” the motion. Useful for disposing of a badly chosen motion that cannot be adopted or rejected without undesirable consequences.

Request a review of procedure

Point of order No Second not required. The Chair or secretary shall review the parliamentary procedure used during the discussion of the Motion.

Notes on Motions Seconds. A Motion must have a second to ensure that at least two members wish to discuss the issue. The “seconder” is not required to be recorded in the minutes. Neither are motions that do not receive a second.

Announcement by the Chair. The chair should announce the Motion before debate begins. This ensures that the wording is understood by the membership. Once the Motion is announced and seconded, the Committee “owns” the motion, and must deal with it according to parliamentary procedure.

Voting Voting Method When Used How Recorded in Minutes

When the Chair senses that the Committee is substantially in agreement, and the Motion needed little or no debate. No actual vote is taken.

The minutes show “by unanimous consent.”

Vote by Voice The standard practice. The minutes show Approved or Not Approved (or Failed).

Vote by Show of Hands (tally)

To record the number of votes on each side when an issue has engendered substantial debate or appears to be divisive. Also used when a Voice Vote is inconclusive. (The Chair should ask for a Vote by Show of Hands when requested by a member).

The minutes show both vote totals, and then Approved or Not Approved (or Failed).

Vote by Roll Call To record each member’s vote. Each member is called upon by the Secretary, and the member indicates either

“Yes,” “No,” or “Present” if abstaining.

The minutes will include the list of members, how each voted or abstained, and the vote totals. Those members for which a “Yes,” “No,” or “Present” is not shown are considered absent for the vote.

of 49


Notes on Voting. Abstentions. When a member abstains, he/she is not voting on the Motion, and his/her abstention is not counted in determining the results of the vote. The Chair should not ask for a tally of those who abstained.

Determining the results. A simple majority of the votes cast is required to approve an organizational group recommendations or decision.

“Unanimous Approval.” Can only be determined by a Roll Call vote because the other methods do not determine whether every member attending the meeting was actually present when the vote was taken, or whether there were abstentions.

Electronic Votes – For an e-mail vote to pass, the requirement is a simple majority of the votes cast during the time-period of the vote as established by the Committee Chair.

Majorities. Per Robert’s Rules, as well as MRO Policy and Procedure 3, a simple majority (one more than half) is required to pass motions.

of 49


AGENDA 2 Advisory Council Logistics

a. Collaboration Site

b. Work Plan/Action Items

c. Minutesd. Self-Certification Worksheet Review

Desirée Sawyer, CMEP Advisory Council Staff Support

Action Information

Report Desirée Sawyer, CMEP Advisory Council Staff Support, will walk the advisory council through the logistics of the collaboration site, workplan/action items, finalizing minutes, and self-certification worksheet reviews.

of 49


AGENDA 3 Work Plan Updates

a. Status of all Work Plan ItemsCarl Stelly, Chair

Action Review status of all work plan items.

Report Chair Carl Stelly will walk through all work plan items to get a current status to ensure the work plan is up to date.

of 49



b. Survey to Primary Compliance Contacts and 2019 CMEP Conference RegistrantsCarl Stelly, Chair

Action Discussion

Report Chair Stelly will lead this discussion during the meeting. The results of the survey will be provided on the CMEPAC’s collaboration site, after close of business on February 28, 2020.

of 49



c. CMEPAC Monthly CallCarl Stelly, Chair

Action Finalize parameters for the CMEPAC Monthly Call.

Report

Background:

The MRO has supported member driven outreach via forums and councils in a couple different ways, all with great success. The NERC Standards Review Forum (NSRF) has been holding a weekly conference call for over 10 years. The NSRF is known by FERC Staff, NERC Standards Staff, Standard Drafting Teams and many Entities outside of the MRO membership. The Security Advisory Council (SAC) has been holding weekly open conference calls for 2 years, discussing real-time security issues. Many issues discussed on the SAC open calls provide the genesis for future topics to be discussed at future Security Conferences. This “added value” to MRO members provides a situational awareness that Entity’s can use to assure their security practices are mitigating current security risks.

Proposed CMEPAC Monthly open call:

I am recommending that the CMEPAC “test the waters” by initiating an open monthly Compliance call with the following attributes:

• The CMEP would have a single short topic (during the startup of this program) to assure that thediscussion starts.

• Then open the floor for anyone to present an issue.• The call would be run by a CMEPAC members (perhaps topics could be presented by members

who are experts in their area [CIP, PRC, etc.]).• CMEPAC members would take the unresolved issue to MRO Staff for clarification and then

respond to everyone on the following call along with outreach to the Entity who presented the issue.• If a discover issue is noted that deserves wider dissemination, the CMEP would recommend a

follow up action (new letter, webinar, topic for CMEP conference items, Application Guides, etc.).

What the monthly call should not be:

• A forum to determine if an Entity is compliant for any enforceable Standard. This is solely anEntity’s responsibility.

o The CMEPAC may assist with promoting: MRO’s HERO Past items of the PROS, SC, CC See if the issue should be broadcasted via a webinar, news article, etc.

• A platform to discuss a bad Standard

of 49


o The CMEPAC may recommend that the Entity become involved in the NSRFo Explain the Standard’s Development Process

• Any other item that shifts

The intent of this call is to promote reliability and security predicated on the enforceable Standards. It should promote value to MRO Members. This will also promote Entities to become “high performers” and assist them in demonstrating their performance to MRO.

of 49


AGENDA 3 Work Plan Updates d. Webinars 2020Carl Stelly, Chair

Action Determine webinar topics for the CMEPAC to host in Q2 and Q3 of 2020.

Report Chair Stelly will lead this discussion during the meeting. Please come to the meeting with any proposed topics you may have.

of 49



e. Newsletter Articles 2020Carl Stelly, Chair

Action Determine a newsletter topic for the May/June, July/August, September/October, and November/December issues of MRO Reliability Matters.

Report Chair Stelly will lead this discussion during the meeting. Please come to the meeting with any proposed topics you may have.

of 49



f. Vote to Recommend to OGOC for ApprovalCarl Stelly, Chair

Action Vote to recommend the CMEPAC’s work plan to the OGOC for approval.

Report Chair Stelly will lead this discussion and request the vote.

of 49


AGENDA 4 2020 CMEP Conference Planning

Carl Stelly, Chair

Action Discussion

Report Chair Stelly will lead the advisory council in planning discussions for the 2020 CMEP Conference. A draft agenda will be shared on the advisory council’s collaboration site prior to the meeting.

of 49


AGENDA 5 CORES Update

Russ Mountjoy, Manager, Registration, Certification and Standards

Action Discussion

Report The NERC CORES application went live in July of 2019. Although the application is “live” there is very little interaction between the registered entities and the application. Currently CORES is used to process new registration requests, de-registrations and name changes. Registered entities are required to maintain their contacts through the use of the legacy system, webCDMS.

Prior to going live, NERC developed a series of instructional videos for the use of CORES which have successfully assisted in the registration of new entities. NERC has recently suggested that regional entities offer training to their stakeholders. MRO would like to hold off on any CORES related training at this time since the training videos provided by NERC have proven to be a successful training tool, and unless an entity is changing their name or registration status, MRO does not see a benefit to providing training for registered entities at this time.

In addition, MRO has heard from only a couple of stakeholders expressing interest in CORES training. MRO has shared plans with NERC to hold a webinar at a future date, however, NERC believes the training should be held sooner rather than later. However, MRO maintains its position that training should be provided in a time frame more closely aligned with the full implementation of the CORES application.

MRO is seeking feedback from the CMEPAC regarding the timing of CORES application related training.

of 49


AGENDA 6 Standing Reports

a. NERC Compliance and Certification Committee (NERC CCC)Jami Young, MRO Representative on NERC CCC

Action Discussion

Report Jami Young will lead this discussion and provide an overview of the March 10-11, 2020, NERC CCC agenda items during the meeting.

of 49



b. NERC Standards Review Forum (NSRF) Joe DePoorter, Chair NSRF, CMEPAC Member

Action Information

Report The MRO NSRF continues to review, make comments and provide voting recommendation to the MRO members and guest on all NERC Reliability Standard Projects. There continues to be a slight decline in the Projects for the Forum to review, however, the Forum still reviews every posted Project by a lead agent of the Forum, which allows one person to summarize all comments from MRO members and establishes a common platform that not only benefits the MRO members but should enhance the reliability and security of the bulk power system

Areas of Focus

The NSRF’s area of focus will be to review the Standards as laid out in the current Reliability Standards Development Plan, established by NERC.

Accomplishments

The NSRF has reviewed Project 2019-02 BES Cyber System Information Access Management so far in 2020.

Challenges

1. The NSRF is a volunteer Forum that is comprised of utility professionals who understand that allNERC Reliability Standards must mitigate either a current risk or emerging risk to the BPS. TheNSRF is building on the foundation that the CMEPAC and MRO Staff has set for our current andfuture state of reliability. Our challenge is to continually have a single voice that represents theentire MRO membership.

of 49



c. Mid-Continent Compliance Forum (MCCF)MCCF Member

Action Information

Report An MCCF member will provide an oral report during the meeting.

of 49



d. SPP RC Working Group (SPP-RCWG)SPP-RCWG Member

Action Information

Report An SPP-RCWG member will provide an oral report during the meeting.

of 49


AGENDA 7 Align Project Update

Desirée Sawyer, Align Change Agent

Action Information

Report Desirée Sawyer will provide an update on the Align Project. The presentation has been included in this packet and starts on the next page.

of 49

RELIABILITY | RESILIENCE | SECURITY

Align UpdateRegional Spring Workshops

February 18, 2020

of 49

RELIABILITY | RESILIENCE | SECURITY2

• Current Events• Guiding Principles• Release 1 Functionality and Users• Evidence Lockers• Regional Adoption and Business Readiness• Release 1 Training• What’s Next• FAQs

Agenda

of 49


• Regional subject matter experts (SMEs) are validating Release 1and data elements

• Training materials (i.e., videos, user guide, and quick referencecards) are under construction

• ERO Enterprise evidence locker is in design and will soon beunder construction

• Planning for stakeholder engagement (via CCC and otherentities) for user acceptance testing

• Planning for go live in Q4 2020 with two pilot Regions (i.e., MROand Texas RE) with select registered entities

Current Events

of 49


Guiding Principles

• All registered entity-provided evidence, unless prohibited by astandard, will go into the registered entity or ERO Enterpriselocker

• All registered entity lockers must meet ERO Enterprise-developed criteriafor functionality, access, etc.

• ERO Enterprise workflow and work products will be in the EROEnterprise Align tool.

• The ERO Enterprise will enhance work products (e.g., workingpapers) to support conclusions without the need to store datafor extended periods, minimizing data protection risk.

NOTE: The Align team will achieve this through training, guidance, oversight activities, and other outreach.

of 49


Release

3

Align Release Overview

Est. Q4 2021

Release

2Est. Q2 2021

Release

1Q4 2020

Align and Evidence Locker(s)

of 49


Align Release 1: What to expect as a registered entity?

Stakeholder Group

Release 1 Functionality• Create and submit Self-Reports and Self-Logs• Create and manage mitigating activities

(informal) and Mitigation Plans (formal)• View and track open Enforcement Actions

(EAs) resulting from all monitoring methods• Receive and respond to Requests for

Information (RFIs)• Receive notifications and view dashboards on

new/open action items• Generate report of standards and requirements

applicable to your entity• Manage user access for your specific entity• Manage evidence supporting R1 functionality

securely via separate Evidence Locker(s)

Registered Entities

of 49


Align Release 1: What to expect as a Regional Entity?

Stakeholder Group

Regional Entities

Release 1 Functionality• Receive Self-Reports and Self-Logs from entities• Manually create findings that result from any

monitoring method (i.e., audits, spot checks, investigations, periodic data submittals, self-certifications, complaints)

• Perform preliminary screens, PNC reviews, and disposition determinations for each PNC/EA

• Send and receive responses to RFIs• Trigger notifications such as NAVAPS, NOCV, CE

Letter, FFT Letter, and Settlement Agreements• Receive, review, and approve mitigating activities

(informal) and Mitigation Plans (formal)• Receive notifications and view dashboards on

new/open action items• Generate report of standards and requirements

applicable to a registered entity• View/analyze evidence supporting R1 functionality

securely via separate Evidence Locker(s) of 49


• Compliance Planning (i.e., Risk,CMEP Implementation Plan,Inherent Risk Assessment, InternalControls Evaluation, ComplianceOversight Plan)

• Compliance Audit• Spot Check• Compliance Investigations• Complaints• Expand use of evidence lockers to

include evidence submitted forthese activities

• Technical Feasibility Exceptions(TFEs)

• Periodic Data Submittals• Self-Certifications• Additional enhancements identified

from R1 as needed• Expand use of Evidence Lockers to

include evidence submitted forthese activities

Note: The monitoring methods above will be managed in existing systems during the gap between R1 and R2

Align Future Releases: What to expect?

Release 2 FunctionalityEst. Q2 2021

Release 3 FunctionalityEst. Q4 2021

of 49


• Highly secure, isolated, on-premises environments Collect and protect evidence Enable submission by authorized and authenticated entity users Provide compartmentalized analysis of evidence in temporary, isolated,

disposable environments Does not interface with any other systems

• Evidence in these environments is: Encrypted immediately upon submission Securely isolated per entity Never extracted Never backed up Subject to proactive and disciplined destruction policy

Evidence Lockers: What are they?

of 49


Evidence Lockers: How will they work?

ERO Enterprise Evidence Analysis Locker

Secure File Transfer

Enterprise Content

Management

Encryption• Regionally

Specific

Routing Rules

Management Utilities

Locker

Locker

Analysis Environment

Auditor Session• auditor tools• disposable

Auditor Session• auditor tools• disposable

MFA

Au

then

ticat

ionM

FA

Auth

entic

atio

n

Registered Entity User

AuthorizedCMEP

Personnel

Privileged SessionServer

MFA

SystemAdministrator

of 49


• Yes; however, they must be available and validated before theyare authorized for use for CMEP activities. Analysis tools availability (e.g., NP-View, RAT-STATS, MS Office, Adobe

Acrobat) Assurance of data integrity CEA login through NERC’s federated

authentication services

• The retention obligation does not change (e.g., the requirementstill exists for CEA access to evidence if the locker is retired).

Evidence Lockers: Can registered entities build them?

of 49


Regional Business Readinessand Training Approach

of 49


Release 1 Training: When will it occur?

The Align team will:• Release a training schedule between Q2 and Q3 once a go-live

date is announced• Provide ample time for training and preparation• Will roll out training Region by Region• Will train pilot Regions (i.e., MRO and Texas RE) first

of 49


Release 1 Training: What will it include?

• Align Release 1 functionality• Evidence Locker capability to support Release 1 activities• Regional changes in business processes for Release 1 activities• Management of CMEP activities to include current legacy

systems (Start/Stop/Continue)• Post-production support

A Release 1 Adoption Workshop will be held in each Region to prepare for training.

of 49


• The NERC Training Department is producing all materials. A training website will be available. The training will be the same in each Region.

• Train-the-Trainer• Training leads have been identified for each Region. The training leads will train the Regions and registered entities. NERC and the core team will support the training leads. Trainings will be held onsite and at NERC

Release 1 Training: What is the approach?

of 49


What’s Next?

• Validate system and data imports for Release 1• Complete training materials• Announce a training schedule• Schedule regional adoption workshops starting in May• Finalize evidence locker design and build• Finalize go-live and rollout schedule

of 49


FAQs

• For technical questions about evidence locker, review thewebinar from the Align Project Page.

• There are answers to more than 50 questions posted on theAlign Project FAQ page.

• Submit questions to [email protected].

of 49

https://www.nerc.com/ResourceCenter/Pages/CMEPTechnologyProject.aspx

https://www.nerc.com/ResourceCenter/Pages/FAQs.aspx

mailto:[email protected]


of 49


Release 1 ContentAlign Tool and Evidence Lockers

of 49


Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.

Align Content – Compliance Monitoring

of 49


Note: ERO Enterprise information will not reproduce sensitive content from the evidence lockers.

Align Content - Enforcement

of 49


AGENDA 8 Work Plan Breakout Groups

Carl Stelly, Chair

Action Discussion

Report Carl Stelly will lead this discussion.

of 49


AGENDA 9 Review of Action Items

Desirée Sawyer, CMEP Advisory Council Staff Support

Action Review open action items and new action items.

Report Desirée Sawyer, CMEP Advisory Council Staff Support will review the open action items with the advisory council members and recap the action items captured during the meeting.

of 49


AGENDA 10 Recommendation to OGOC on CMEPAC Nominations

Carl Stelly, Chair

Action Vote on nominations received for the CMEPAC. Make nominee recommendation to the OGOC for its approval.

Report This portion of the meeting will be a closed session. Nominations will be provided through the CMEPAC’s collaboration site after COB on February 28, 2020. All nominees will be invited to the meeting via WebEx. Please review the nominations prior to the meeting. Chair Stelly will lead the candidate review and vote.

of 49


AGENDA 11 Other Business and Adjourn

Carl Stelly, Chair

of 49

compliance monitoring and enforcement program (cmep ... cmepac final agenda... · make every...

Documents