CIP Version 3 is void on July 1 and new versions of CIP are enforceable.
CIP Version 5 establishes bright line criteria entities must use to determine their qualification as High, Medium, or Low Impact. If an entity falls under High or Medium, based on the bright line criteria, it is responsible for more than 140 requirements and sub-requirements as of April 1.
If an entity qualifies as Low Impact, it has some additional requirements, including the development of a Cyber Security Plan under CIP-003-6 effective July 1, 2017, which addresses the following:
• Cyber security awareness (R 2.1)
• Physical security controls (R 2.2)
• Electronic access controls for external routable protocol connections and dial-up
connectivity (R 2.3)
• Incident response to a cyber security incident (R 2.4)
Versions 5 and 6 of the CIP Standards represents a significant change in CIP compliance for the industry. All assets are now subject to the requirements and must be categorized as High, Medium, or Low.
Training will be a critical part of an entity’s CIP efforts considering the importance of making sure all staff members understand and comply with Versions 5 and 6.
Another key issue is the limited resources entities have to maintain compliance with Version 3 while designing processes, procedures, and controls to comply with Version 5 by the deadline. Some entities are hiring additional staff while others are contracting to support existing staff.
Below is a brief outline of CIP Versions 5 and 6. For detail information, please see CIP Transition Program.
Senior Advisory Services Manager
All entities regardless of registration who are identified as responsible entities as defined in CIP-002-5.1. The level of compliance responsibility depends on whether BES Cyber Assets qualify as High, Medium, or Low Impact.