Welcome! NERC 2017 Standards and Compliance Workshop JW Marriott - - PowerPoint PPT Presentation

Welcome!

NERC 2017 Standards and Compliance Workshop JW Marriott New Orleans

July 11-12, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 2

NERC Antitrust Compliance Guidelines It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers,

• r any other activity that unreasonably restrains competition.

RELI ABI LI TY | ACCOUNTABI LI TY 3

Public Announcement Participants are reminded that this meeting is public. Notice of the meeting was posted on the NERC website and widely

• distributed. The notice included the number for dial-in
• participation. Participants should keep in mind that the audience

may include members of the press and representatives of various governmental authorities.

RELI ABI LI TY | ACCOUNTABI LI TY 4

• Safety
• Fire exits
• Calling 911
• Alerting hotel staff
• CPR
• Other Logistics
• Q&A
• Restrooms

General Announcements

RELI ABI LI TY | ACCOUNTABI LI TY 5

• 9:00 – Noon: NERC Standards and Compliance 101
• Mat Bunch
• Latrice Harkness
• Shamai Elstein
• Ryan Mauldin
• Noon – 1:00 p.m.: Lunch
• 1:00 – 1:10 p.m.: Welcome and Introductions
• Laura Anderson
• Ryan Mauldin
• 1:10 – 1:20 p.m.: Keynote Remarks
• Howard Gugel
• Andrea Koch

Today’s Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 6

• 1:20 – 1:30 p.m.: Interactive Demonstration
• Laura Anderson
• Ryan Stewart
• 1:30 – 2:00 p.m.: Cost Effectiveness
• Steven Noess
• Soo Jin Kim
• 2:00 – 2:15 p.m.: SBS Enhancements
• Chris Larson
• 2:15 – 3:15 p.m.: Break
• 3:15 – 3:45 p.m.: NERC Registration Initiatives
• Ryan Stewart

Today’s Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 7

• 3:45 – 4:00 p.m.: Project 2016-03 – Cyber Security Supply Chain

Management

• Soo Jin Kim
• 4:00 – 4:45 p.m.: Compliance Monitoring Update (Coordinated

Oversight of MRREs, IRAs, and Compliance Guidance)

• Kim Israelsson
• Kiel Lyons
• 4:45 – 5:00 p.m.: General Q&A/Closing Announcements
• Laura Anderson
• Latrice Harkness
• 5:30 – 6:30 p.m.: Reception

Today’s Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 8

Keynote Remarks

Howard Gugel, NERC Senior Director of Standards and Education Andrea Koch, NERC Senior Director of Reliability Assurance

Cost Effectiveness and Guidelines and Technical Basis

Steven Noess, Director of Standards Development Soo Jin Kim, Manager of Standards Development 2017 Standards and Compliance Workshop July 11, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 2

• Northeast Power Coordinating Council, Inc. procedure
• NERC Cost Effective Analysis Process
• 2015 policy input
• Cost effectiveness method piloted in 2016

History of Cost Effectiveness

RELI ABI LI TY | ACCOUNTABI LI TY 3

Cost Effectiveness

• 2017 Board of Trustees made this a priority effort
• All projects will generally consider cost effectiveness at a high level
• All formal comments will provide industry a chance to comment on cost

considerations

• Two questions to address
• What is level of cost versus reliability benefit?
• Can the most cost-effective solution be used?

RELI ABI LI TY | ACCOUNTABI LI TY 4

• Periodic Reviews
• Standards grading metric
• Additional pilots of proposed method

Current Activities

RELI ABI LI TY | ACCOUNTABI LI TY 5

Examples

• Examples of Project Questions Posed
• Supply Chain: The standard drafting team believes proposed CIP-013-1 and

the draft Implementation Guidance provide entities with flexibility to meet the reliability objectives in a cost-effective manner. Do you agree? If you do not agree, or if you agree, but have suggestions for improvement to enable additional cost-effective approaches, please provide your recommendation, and if appropriate, technical justification.

• VAR EPR: The team did not identify a concern related to cost effectiveness

as drafted. Do you agree? If not, please provide additional detail.

RELI ABI LI TY | ACCOUNTABI LI TY 6

• Comments solicited in periodic reviews
• Comments solicited in Standard comment periods
• Evaluate compliance and enforcement cost impacts
• Cost comment themes provided in Board of Trustees

presentations Future Activities

RELI ABI LI TY | ACCOUNTABI LI TY 7

• History
• Initially designed to support results-based standards
• First used in FAC-003-2
• Contained an “information only” disclaimer
• Incorporated into standard development template
• Disclaimer paragraph was omitted

Guidelines and Technical Basis

RELI ABI LI TY | ACCOUNTABI LI TY 8

• Provides drafting teams a mechanism to:
• Explain the technical basis for Reliability Standard
• Provide technical guidance to help support effective application
• To further clarify Guidelines and Technical Basis (GTB):
• NERC staff and Standards Committee (SC) leadership to coordinate
• Captured in Task 3 in SC Strategic Plan

Purpose

RELI ABI LI TY | ACCOUNTABI LI TY 9

• NERC staff and SC leadership collaboration
• A separate document to explain technical basis
• Focus on understanding technology and the technical

requirements

• No compliance approaches or compliance guidance
• Encourage use of NERC Compliance Guidance Policy

Summary of work

RELI ABI LI TY | ACCOUNTABI LI TY 10

• Present to SC for endorsement
• Report results at August Standards Oversight and Technology

Committee meeting

• Begin implementing for all projects going forward
• Consider in periodic reviews whether to remove GTB from

existing standards Timeline

RELI ABI LI TY | ACCOUNTABI LI TY 11

• Implementation Guidance provides examples of implementing

the standard

• Developed by industry
• Can be developed by:
• Standard drafting teams; or
• Pre-qualified organization
• Supply Chain project was the first drafting team to seek

endorsed Implementation Guidance I mplementation Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 12

Standards Balloting and Commenting System (SBS) Enhancement Feature Overview and Training

Chris Larson, Manager of Standards Information 2017 Standards and Compliance Workshop July 11, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 2

• Ability for users to vote, delegate/revoke proxy rights, and join

ballots/ballot pools from the “Ballot Events” page

• All references to the term “Survey” will be replaced with the

term “Comment Form”

• Ability for users to proceed directly to the “Real-time

Comments” page (formerly “Social Survey”) without first having to provide a response

• Ability for users to select members from the Registered Ballot

Body (RBB) when creating groups

• Users will no longer be prompted to confirm negative opinions

for Non-binding Polls

• The system will save users’ selected sort and/or filter view on all

pages instead of reverting back to a default view 2017 Enhancement Features

RELI ABI LI TY | ACCOUNTABI LI TY 3

• The “My Voting Activity” page will be removed and the voting-related

functions listed below will be carried out on the “Ballot Events” page

• Join/withdraw from ballot pools
• Delegate/revoke proxies
• Vote for ballots
• New icon/function buttons will be added to the page (screenshots below)

“Ballot Events” Page

A and D – Join and withdraw from ballot pool B – Vote C and E – Delegate and revoke proxy rights

RELI ABI LI TY | ACCOUNTABI LI TY 4

Change of the Term “Survey” to “Comment Form”

• Terms such as “Surveys” and “Take Survey” will be replaced with

the terms “Comment Form” and “Submit Comments” for consistency between Standards’ communications/postings and the SBS

RELI ABI LI TY | ACCOUNTABI LI TY 5

“Real-time Comments” Page

• The current term/page “Social Survey” has been renamed “Real-

time Comments.” Today, users who try to access this page without first submitting comments receive the following error message:

• Voters, proxies, and contributors will have the ability to provide a

thumbs-up (like), thumbs-down (dislike), to other submitters’ comments without having to provide a response themselves.

RELI ABI LI TY | ACCOUNTABI LI TY 6

• When submitting a comment, users will have the ability to

select current RBB members when creating groups

• The ability to manually enter/edit group members will remain

RBB Members and Creating Groups

RELI ABI LI TY | ACCOUNTABI LI TY 7

• For non-binding poll ballot types, voters and proxies will not be

prompted to comment or declare support for a third-party comment if a negative opinion is cast Negative Opinions and Confirmations for Non-binding Polls

RELI ABI LI TY | ACCOUNTABI LI TY 8

• Any filtered, and/or sorted results, will be retained when

navigating between SBS pages

• Once a user logs out of the SBS, the filtered, and/or sorted

selection, will revert to a default state Sort and Filter

RELI ABI LI TY | ACCOUNTABI LI TY 9

• All vote-related functions located on the “Ballot Events” page
• The term “Survey” replaced with the term “Comment Form”
• Proceed directly to the “Real-time Comments” page without

submitting a comment

• Select members from the Registered Ballot Body (RBB) when

creating groups

• No confirmation necessary for negative opinions for Non-

binding Polls

• Sort and/or filter view on all pages will be retained

2017 Enhancement Features Recap

RELI ABI LI TY | ACCOUNTABI LI TY 10

Standards I nformation Links

• NERC’s Balloting and Commenting page
• SBS Quick Reference Guide
• SBS Tutorial
• 2017 SBS Enhancement Presentation slides
• Administrative Support: ballotadmin@nerc.net
• NERC IT Support: https://support.nerc.net/
• Standard Processes Manual
• Appendix 3D – RBB Criteria
• SBS Enhancements Webinar

RELI ABI LI TY | ACCOUNTABI LI TY 11

Break

Webinar participants: We will return at 3:15 p.m. Central

Entity Registration Update

Ryan Stewart, NERC Manager of Registration Services 2017 Standards and Compliance Workshop July 11, 2017

2 RELIABILITY | ACCOUNTABILITY

Site Overview

3 RELIABILITY | ACCOUNTABILITY

Portal CFR Landing Page

4 RELIABILITY | ACCOUNTABILITY

CFR Landing Page

5 RELIABILITY | ACCOUNTABILITY

CFR Record Dropdown Options

6 RELIABILITY | ACCOUNTABILITY

Portal CFR Detailed View

7 RELIABILITY | ACCOUNTABILITY

Portal CFR Detailed View

8 RELIABILITY | ACCOUNTABILITY

Basic I nformation

9 RELIABILITY | ACCOUNTABILITY

Basic I nformation

10 RELIABILITY | ACCOUNTABILITY

View Matrix Snapshot

11 RELIABILITY | ACCOUNTABILITY

Entity Contacts

12 RELIABILITY | ACCOUNTABILITY

Choose Requirements

13 RELIABILITY | ACCOUNTABILITY

Set Responsibilities

14 RELIABILITY | ACCOUNTABILITY

Requirement Notes Modal

15 RELIABILITY | ACCOUNTABILITY

Upload Documents

16 RELIABILITY | ACCOUNTABILITY

Submit CFR

17 RELIABILITY | ACCOUNTABILITY

CRM CFR Landing Page

18 RELIABILITY | ACCOUNTABILITY

Regional CFR Summary View

19 RELIABILITY | ACCOUNTABILITY

CFR Matrix View

20 RELIABILITY | ACCOUNTABILITY

NERC CFR Detailed View

21 RELIABILITY | ACCOUNTABILITY

Reporting

22 RELIABILITY | ACCOUNTABILITY

Downloadable CFR Matrix

23 RELIABILITY | ACCOUNTABILITY

Cyber Security Supply Chain Risk Management

Soo Jin Kim, NERC Manager of Standards Development 2017 Standards and Compliance Workshop July 11, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 2

[the Commission directs] that NERC, pursuant to section 215(d)(5)

• f the FPA, develop a forward-looking, objective-driven new or

modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system

• perations.
• Order No. 829, July 2016
• Standard(s) must be filed by September 27, 2017

FERC Order No. 829

RELI ABI LI TY | ACCOUNTABI LI TY 3

• First formal comment period January 20 – March 6, 2017
• Second formal comment period May 2 – June 15, 2017

Standards Development Process

Oct 2016 – Mar 2017 Tech Conference 1st Formal Balloting May 2017 2nd Formal Comment and Balloting July 2017 Final Ballots August 2017 NERC Board Adoption September 2017 Deadline for filing

RELI ABI LI TY | ACCOUNTABI LI TY 4

June Ballot Results Ballots Non-binding Polls

Name Approval Supportive Opinions CIP-005-6 89.84% 88.53% CIP-010-3 82.92% 88.02% CIP-013-1 88.64% 89.57%

RELI ABI LI TY | ACCOUNTABI LI TY 5

• Standard drafting team (SDT) did not make substantive changes

to requirements Clarifications

• CIP-013-1 Requirement R1 Part 1.2.4
• Disclosure by vendors of known vulnerabilities related to the products or

services provided to the Responsible Entity

• CIP-010-3 Requirement R1 Part 1.6
• Prior to a change that deviates from the existing baseline

configuration…verify software identity and integrity.

• Measure revised to include evidence of automated update process
• Updated CIP-010-3 Guidelines and Technical Basis section

Final Ballot

RELI ABI LI TY | ACCOUNTABI LI TY 6

Common questions addressed by the SDT

• CIP-013-1 Requirements to address software verifications and

vendor remote access are not duplicative of CIP-010/CIP-005

• Procurement versus Operational
• CIP-005-6 Requirements for vendor remote access do not

require session recording

• CIP-010-3 Requirements for software verifications apply to

baseline changes only (do not apply to new system installation)

• Software verifications do not need to be repeated for each BES

Cyber System Comment Responses

RELI ABI LI TY | ACCOUNTABI LI TY 7

• Implementation Guidance developed by the SDT has been

endorsed by the ERO Enterprise

• Provides examples of approaches for complying with CIP-013-1
• Risk-based approach to Cyber Security Supply Chain Risk Management

plans (R1)

• Processes for planning to procure BES Cyber Systems that identify and

assess cyber security risks from vendor products or services (R1 Part 1.1)

• Request-for-proposal or negotiation provisions to address topics in R1 Part

1.2.1 – 1.2.6

• Processes for periodically reviewing and approving plans (R3)

I mplementation Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 8

• Standards will be submitted for the August 10, 2017 NERC Board
• f Trustees meeting
• FERC Order No. 830 filing deadline is September 27, 2017
• After filing, priority shifts to development of a comprehensive

strategy for implementation (pending regulatory approval) Next Steps

RELI ABI LI TY | ACCOUNTABI LI TY 9

Contact I nformation

• Refer to the Project 2016-03 page for more information
• Email laura.anderson@nerc.net to join the email list
• Corey Sellers, Southern Company, SDT Chair
• Email at mcseller@southernco.com
• JoAnn Murphy, PJM Interconnection, SDT Vice Chair
• Email at joann.murphy@pjm.com

RELI ABI LI TY | ACCOUNTABI LI TY 10

Coordinated Oversight Program for Multi-Region Registered Entities

Kim Israelsson, Manager, Compliance Program Coordination and Process Integration, WECC 2017 Standards and Compliance Workshop July 11, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 2

• Program objective and benefits
• Inclusion criteria
• Participation requests
• 2016 participant survey feedback
• Program enhancements
• Current participation
• ERO Enterprise contacts

Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 3

• Focus on risk to reliability, while improving:
• Efficiency
• Single point of contact
• Streamlining processes
• Consistency
• Compliance Monitoring and Enforcement Program (CMEP) activities
• Organization Registration and Certification Program (ORCP) activities
• Reporting requirements and tools

Objective

RELI ABI LI TY | ACCOUNTABI LI TY 4

• Lead Regional Entity (LRE) and Affected Regional Entities (ARE)

coordinated to provide:

• Single point of contact for CMEP, ORCP, and other activities
• Centralized monitoring, enforcement, and reporting

Benefits of Coordinated Oversight for MRREs

RELI ABI LI TY | ACCOUNTABI LI TY 5

• Registered Entity
• Operates in or owns assets in two or more Regional Entity(ies) jurisdictions
• Verifies its Primary Compliance Contact (PCC), Authorizing Officer (AO), or

Primary Compliance Officer (PCO) contact information is accurate prior to submitting request for inclusion

• Designates a PCC

Criteria for I nclusion in Coordinated Oversight Program

RELI ABI LI TY | ACCOUNTABI LI TY 6

• PCC, AO, or PCO submits initial request to designated NERC or

Regional Entity MRRE coordinated oversight contacts

• Requests may include the following information:
• Registered Entity name(s)
• NERC Compliance Registry (NCR) Number(s) to be included
• Applicable Regional Entities
• Applicable registered functions
• PCC information for MRRE
• Description of registered entity(ies) compliance program
• Description of facilities

Participation Request Process

RELI ABI LI TY | ACCOUNTABI LI TY 7

• Survey sent to 40 MRREs in Coordinated Oversight Program in

June 2016

• Responses received from all 40 MRREs
• Survey requested feedback on:
• Implementation and streamlining of activities
• LRE and ARE coordination
• Overall satisfaction
• General Comments
• 97% of MRREs support continued participation
• 84% of the MRREs believe it fulfills the objectives

2016 Participant Survey

RELI ABI LI TY | ACCOUNTABI LI TY 8

• “The MRRE program has been a welcome enhancement for our

compliance efforts.”

• “Overall, it has been a very positive experience for our
• rganization.”
• “The MRRE program has been extremely successful in

streamlining processes and more effectively utilizing resources.”

• “Entity’s assessment at this early stage is “so far, so good.” We

have no suggestions for improvement at present. The program has been quite beneficial for us.” Participant Survey – Value Statements

RELI ABI LI TY | ACCOUNTABI LI TY 9

• Inherent Risk Assessments (IRA)
• Data systems and portals for data collection
• Technical Feasibility Exceptions (TFEs) submittals
• Periodic Data Submittals
• Communication
• Information about process and what to expect
• Guidance on changes to registered entity assets and potential impacts on

program participation

Participant Survey – I mprovement Opportunities

RELI ABI LI TY | ACCOUNTABI LI TY 10

• 2017 enhancements
• Developed and publically posted an ERO Enterprise consolidated 2017

Periodic Data Submittal schedule

• Developed internal, ERO Enterprise procedures to address roles,

responsibilities, and processes

• Developed ERO Enterprise templates
• Conducted ERO Enterprise staff training
• Ongoing enhancements
• TFE submittals
• Communication and transparency of processes
• Maintain list of Frequently Asked Questions
• 2017 Participant Survey
• 2017 outreach (e.g., Fall industry webinar)

Program Enhancements

RELI ABI LI TY | ACCOUNTABI LI TY 11

MRRE – Regional Breakdown*

MRO 12% NPCC 1% RF 16% SERC 11% SPP RE 10% Texas RE 44% WECC 6%

*As of Q1 2017.

RELI ABI LI TY | ACCOUNTABI LI TY 12

MRRE – Distribution by Registered Function

23 30 166 155 11 6 32 6 39 35 32 14

20 40 60 80 100 120 140 160 180

BA DP GO GOP PA RC RP RSG TO TOP TP TSP Number of Entities Registered by Registered Function

*As of Q1 2017.

RELI ABI LI TY | ACCOUNTABI LI TY 13

Team Members Contact Information

• Scott Knewasser - FRCC
• Sara Patrick - MRO
• Stanley Kopman - NPCC
• Megan Gambrel - RF
• Todd Curl - SERC
• Jim Williams – SPP RE
• Bill Lewis – Texas RE
• Kim Israelsson - WECC
• Barb Nutter - NERC
• sknewasser@frcc.com
• SE.Patrick@MidwestReliability.org
• skopman@npcc.org
• megan.gambrel@rfirst.org
• TCurl@serc1.org
• jwilliams.re@spp.org
• William.Lewis@TEXASRE.org
• kisraelsson@wecc.biz
• barbara.nutter@nerc.net

Designated NERC/ Regional Entity MRRE Coordinated Oversight Contacts For questions, please contact a designated NERC/Regional Entity MRRE contact for assistance

RELI ABI LI TY | ACCOUNTABI LI TY 14

I nherent Risk Assessments

Kiel Lyons, Manager, Grid Planning and Operations Assurance 2017 Standards and Compliance Workshop July 11, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 2

Risk-based CMEP

RELI ABI LI TY | ACCOUNTABI LI TY 3

• Inherent Risk Assessment (IRA) process end goal is entity-

specific Compliance Oversight Plans (COPs)

• Functions performed
• Assets owned or operated
• Location
• 18 common Electric Reliability Organization (ERO) risk factors

and criteria

• Common criteria established, with regional flexibility provided
• Other considerations
• Entity performance data (e.g., misoperations, event analysis)
• Compliance history
• Knowledge of the entity (e.g., internal controls)
• Risk Elements

What is an I RA?

RELI ABI LI TY | ACCOUNTABI LI TY 4

• How considerations impact monitoring of inherent risk
• Development of Compliance Oversight Plans (COPs)
• Reliability Standards and requirements for compliance monitoring
• Compliance monitoring tools (i.e., CMEP Tools)
• Interval of compliance monitoring

Output of I RA

RELI ABI LI TY | ACCOUNTABI LI TY 5

• Guide for Compliance Monitoring
• http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/ERO%20Enterprise%2

0Guide%20for%20Compliance%20Monitoring.pdf

Resources

RELI ABI LI TY | ACCOUNTABI LI TY 6

Compliance Guidance

Kiel Lyons, Manager, Grid Planning and Operations Assurance 2017 Standards and Compliance Workshop July 11, 2017

RELI ABI LI TY | ACCOUNTABI LI TY 8

• Compliance Guidance Policy
• Types of Guidance
• Pre-Qualified Organizations
• Endorsement Process
• Current Guidance
• Website
• Resources
• Key Take-Aways

Overview

RELI ABI LI TY | ACCOUNTABI LI TY 9

Principles

• Cannot change scope of Reliability Standard
• May be developed concurrently with Reliability Standard
• Should not conflict
• Should be developed collaboratively
• Not only way to comply
• Additional Considerations:
• Finite and limited set
• Related guidance in one location
• Consider revising standard
• Apply professional judgment
• Feedback loops

Compliance Guidance Policy

RELI ABI LI TY | ACCOUNTABI LI TY 10

Compliance Guidance Implementation Guidance CMEP Practice Guides

Types of Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 11

Implementation Guidance

• Developed by industry, for industry
• Examples or approaches
• One of several possible approaches
• Developed by:
• Standard Drafting Team (SDT)
• Vetted by industry
• Pre-Qualified Organization
• Endorsed by ERO Enterprise, with deference

Types of Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 12

• CMEP Practice Guides
• Developed by ERO Enterprise, but may be initiated through a policy

discussion with industry

• Address how CMEP staff executes CMEP activities
• Possible considerations include the discretion to be applied, auditing practices,

risk assessment techniques, policies, and areas of focus

• Not approaches to comply with standards
• Uniform approaches that foster consistency across the ERO Enterprise
• Publically posted for transparency
• Apply professional judgment when evaluating methods or approaches not

identified in guidance

Types of Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 13

CMEP Practice Guides

• Developed by ERO Enterprise, for ERO Enterprise
• May be initiated through industry discussions
• Publically posted
• ERO Enterprise CMEP staff approach
• Fosters consistency
• Possible considerations include the discretion to be applied, auditing

practices, risk assessment techniques, policies, and areas of focus

Types of Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 14

Approved by Compliance and Certification Committee (CCC)

• The organization must:
• Be actively involved in NERC operations
• Have methods to assure technical rigor
• Possess ability to vet content

Pre-Qualified Organizations

RELI ABI LI TY | ACCOUNTABI LI TY 15

Applicant applies with the CCC CCC Reviews Application CCC notifies the applicant

• f approval

Applicant is added to Pre- Qualified Organization List

Pre-Qualified Organizations

Pre-Qualified Organization Application Process

RELI ABI LI TY | ACCOUNTABI LI TY 16

• Standard Drafting Team (SDT)
• Identifies examples
• Reviews existing guidance
• Examples vetted by industry
• Decision to submit for ERO Enterprise endorsement made by:
• Project Management and Oversight Subcommittee (PMOS) liaison and
• NERC Standards Developer submit for ERO Enterprise endorsement
• May not submit guidance after standard is approved
• Must be submitted by Pre-Qualified Organization

Pre-Qualified Organizations

RELI ABI LI TY | ACCOUNTABI LI TY 17

Endorsement of Implementation Guidance

• Pre-Qualified Organization or SDT submit proposed guidance
• Email to ComplianceGuidance@nerc.net
• Include Implementation Guidance Submittal Form
• NERC
• Acknowledges receipt
• Posts proposed guidance
• Distributes to ERO SME
• ERO endorses or declines to endorse
• Publicly posted
• Non-Endorsed noted in spreadsheet

Endorsement Process

RELI ABI LI TY | ACCOUNTABI LI TY 18

• Implementation Guidance Under Development/Consideration
• CEIWG - Voice Communications in a CIP Environment (VOIP in Control

Centers)

• CEIWG - Shared Facilities (CIP)
• CEIWG - NRC Employee Access and CIP-004 Personnel Risk Assessment
• NATF - TPL-001-5
• NATF - CIP-010-2 Transient Cyber Assets
• NATF - CIP-014-2, R4 and R5
• NEI - PRC-024-2, R1, R2, and R3
• WICF - CIP-010-5 R1 Part 1.1.4 - Netstat baseline for Ports and Services
• WICF - MOD-025/MOD-026 - Manufacture curve/data is not available

Current Guidance

RELI ABI LI TY | ACCOUNTABI LI TY 19

Website

RELI ABI LI TY | ACCOUNTABI LI TY 20

Website

RELI ABI LI TY | ACCOUNTABI LI TY 21

Website

RELI ABI LI TY | ACCOUNTABI LI TY 22

Website

RELI ABI LI TY | ACCOUNTABI LI TY 23

• Compliance Guidance web page
• http://www.nerc.com/pa/comp/guidance/Pages/default.aspx
• Compliance Guidance Policy
• http://www.nerc.com/pa/comp/Resources/ResourcesDL/Compliance_Guidance_Policy_FINA

L_Board_Accepted_Nov_5_2015.pdf

• How to Submit Proposed Guidance
• http://www.nerc.com/pa/comp/guidance/Documents/Pre-

qualified_org_submittal_with_form.pdf

Resources

RELI ABI LI TY | ACCOUNTABI LI TY 24

• Pre-Qualified Organization list
• http://www.nerc.com/pa/comp/guidance/Documents/Pre-qualified%20organizations.pdf
• Procedure to Become a Pre-qualified Organization
• http://www.nerc.com/comm/CCC/Related%20Files%202013/Final%20CCCPP-

011_May_BOTCC_updated.pdf

• Pre-Qualified Organization Application
• http://www.nerc.com/pa/comp/guidance/Documents/Application_Pre-

Qualified_Organization.pdf

Resources

RELI ABI LI TY | ACCOUNTABI LI TY 25

• Implementation Guidance is one approach an entity may take to

meet its obligations

• Are developed and vetted by industry
• Are endorsed/not endorsed by the ERO Enterprise
• CMEP Practices Guides
• Developed by, and for the ERO Enterprise
• Industry Webinar held May 31, 2017
• https://cc.readytalk.com/cc/playback/Playback.do?id=2iu36n
• Lessons Learned Reference Sheet under development
• Industry will be notified when available

Key Takeaways

RELI ABI LI TY | ACCOUNTABI LI TY 26

RELI ABI LI TY | ACCOUNTABI LI TY 1