1

CIP Submittals - July 2010

Tony PurgarJune 22, 2010

2

Background Portal Update

◦ CIP 002 thru 009 Self Certification Forms Functional Specific (i.e. BA, RC, TOP – SCC, Other) Nuclear

◦ CIP Supplemental Questionnaire Portal Timing Reporting Periods Q & A

Topics

3

ReliabilityFirst has been collecting CIP Self Certifications, in the ReliabilityFirst Portal, on a bi-annual basis since 2008.◦ Custom portal forms have been developed and are updated for

each bi-annual self certification data collection.

◦ The forms are identified as CIP 002 – 009 and are function specific (i.e. BA, RC, TOP, etc)

◦ In Jan – 2010, ReliabilityFirst introduced the CIP 002 – 009 Nuclear Form

ReliabilityFirst has been collecting a CIP Supplemental Questionnaire, in the ReliabilityFirst Portal, on a bi-annual basis since 2009.

Background

4

CIP 002 – 009 Forms are being updated for the July 2010 data collection.◦ Each form includes specific questions about the Risk Based

Assessment Methodology (RBAM), Critical Assets, Critical Cyber Assets, Cyber Security Policy and the identification of the Senior Manager per CIP-003 R2

◦ Each form collects a registered entity’s compliance status with schedule/explanation, for each CIP Requirement, per the (Revised) Implementation Plan for Cyber Security Standards CIP-002-1 through CIP-009-1. The plan includes tables that specify the compliance schedules for

entities. Compliance Status options are: Not Started (NS), Begin Work (BW),

Substantially Compliant (SC), Compliant (C), Auditable Compliant (AC).

Portal Update

5

CIP 002-009 Nuclear Form◦ Introduced in Jan-2010◦ Being utilized for the second time in July 2010◦ Applies to Registered Entities who own or operate

a nuclear unit.◦ Content is same as functional specific forms◦ Current updates include:

One form must be filled out for each nuclear unit Collection of the nuclear unit name (since collecting

on form per unit)

Portal Update

6

CIP Supplemental Questionnaire◦ As of 5/25/10, NERC announced to the Regional

Entities that this questionnaire would not be administered by the regions for the July 2010 CIP data collection.

◦ Plans are to administer this questionnaire in Jan-2011 using a section 1600 data request.

Portal Update

7

CIP 002 – 009 Self Certification Forms◦ 7/1/10 – Start Date (Forms available in the Portal)◦ 8/2/10 – Due Date (Entity Submittal date)◦ 8/16/10 – Lockout Date (Forms no longer

available)

Portal Timing

8

CIP 002 – 009 Self Certification Forms◦ Per “NERC Compliance Process Bulletin #2010-

002: Update to 2010 CMEP Implementation Plan”:

Compliance_Process_Bulletin_2010-002_Update_2010 Implementation Plan.pdf

With CIP V2 standards effective on 4/1/10, special consideration was needed for the 2010 bi-annual CIP self certifications.

Reporting Period

9

CIP 002 – 009 Self Certification Forms◦ Self-certification due in July 2010 will cover

compliance with CIP Version 1 standards for the period from 1/1/10 – 3/31/10.

◦ Self-certification due in January 2011 will cover compliance with CIP Version 2 standards for the period April 1, 2010 through December 31, 2010. It is expected that this will be the last bi-annual self

certification. Plans are to release annual CIP Self Certification

forms (similar to dynamic Portal self cert forms) for use in latter 2011.

Reporting Period

10

Questions Questions should be emailed to Matt Thomas (matt.thomas@rfirst.org), Subject: “CIP WEBINAR” Questions will considered in the order they are received Clarifying questions are welcome and we’ll do our best to answer during the question period Challenges to a position should be addressed to the presenter and will be taken offline