Registered Entities that produce electricity and serve high voltage transmission line are required to comply with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) reliability standards CIP-002-5 through CIP-011-1. The NERC is responsible for managing the reliability standards and specified CIP V5 compliance in the Implementation Plan for Version 5 CIP Cyber Security Standards.

NERC CIP Compliance requires passing semi-annual self-certifications for entities that are subject to the compliance and yearly off-site and on-site compliance audits. Yearly compliance audits schedule is published on the NERC website. Not complying with the CIP requirements could lead to fines of non-compliance up to $1 million per day depending on violations. Furthermore non-compliance has a direct impact on brand reputation and exposes Registered Entities to negative publicity that weakens consumer confidence.

The NERC CIP standards are presented as follow:

  • BES Cyber System Categorization (CIP-002-5)
  • Security Management Controls (CIP 003-5)
  • Personnel and Training (CIP 004-5)
  • Electronic Security Perimeter(s) (CIP 005-5)
  • Physical Security of Critical Cyber Assets (CIP 006-5)
  • Systems Security Management (CIP 007-5)
  • Incident Reporting and Response Planning (CIP 008-5)
  • Recovery Plans for Critical Cyber Assets (CIP 009-5 )
  • Configuration Change Management and Vulnerability Assessments (CIP 010-1)
  • Information Protection (CIP 011-1)

NERC CIP Compliance Program

The NERC CIP Compliance Program is designed to answer questions raised by any Registered Entities that that produce electricity and serve high voltage transmission line while evaluating and selecting products to support the CIP standards. This Compliance Program provides validated evidence about a product’s features and capabilities to support the NERC CIP standards.

The NERC CIP Compliance Testing and analysis cover several aspects of the product including:

  • Compliance Effectiveness
  • Product Capabilities Support
  • Management and Usability
  • Suitable for Use in and Recommended Configuration
  • Product Roadmap

NERC CIP Compliance Testing criteria

NERC CIP Compliance Testing is conducted by trained analysts against the NERC CIP Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. The NERC CIP Compliance Program criteria rely on NERC CIP requirements intent from auditors’ perspective, companies’ needs, and from queries numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product evaluated.

Continuous evaluation process

Compliance Labs has developed the continuous evaluation process as a fundamental aspect of the Compliance Labs NERC CIP Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long period.

Learn more about NERC CIP Standards