Best Practices for NERC CIP Compliance – Readiness

Part 4 – Readiness

Introduction

NERC CIP standards are designed to protect the reliability and security of the North American bulk power system. Readiness for NERC CIP compliance is arguably the most important of the four categories of best practices. In readiness, we help prepare the entity for compliance and this includes audits, spot checks and other tests that may come up during the lifespan of an entity.

Below we discuss NERC CIP best practices and specifically readiness related activities to help you maintain compliance and minimize the risk of fines or penalties:

Readiness

As part of Readiness you may need to undertake the following activities and actions:

Perform Regular Risk Assessments

Conduct regular risk assessments to identify potential vulnerabilities in your infrastructure.

This process helps you pinpoint areas where compliance may be at risk and enables you to take appropriate corrective actions.

Maintain Documentation (Evidence)

​Keep detailed records and documentation of all compliance activities, risk assessments, audits, and training programs.

This documentation serves as evidence of your efforts to comply with NERC CIP requirements.

Develop and Implement Training Programs

Educate your staff about NERC CIP regulations, their importance, and their role in compliance. Provide targeted training to employees who handle critical assets, ensuring they understand their responsibilities in maintaining compliance.

Perform Self-Audits

Regularly conduct internal audits to assess your utility’s compliance status. Self-audits help identify areas that need improvement and enable you to address any issues before they become larger problems.

Engage in External (mock) Audits

Engage external auditors to conduct independent audits of your compliance program. These audits can provide an objective evaluation of your utility’s adherence to NERC CIP regulations and help identify any potential weaknesses.

Compliance Audits and Spot Checks

The Regional Entities utilize several methods to carry out their compliance functions, including regularly scheduled compliance audits, spot checks, and self-certifications. Registered entities are subject to audit for compliance with all NERC Reliability Standards applicable to the functions for which it is registered. Registered entities should have a working familiarity with the NERC Rules of Procedure, the Compliance Monitoring and Enforcement Program for their respective Regional Entity, and other regional documents.  Links to each of the Regional Entity websites are located below. 

• Midwest Reliability Organization (MRO)
• Northeast Power Coordinating Council (NPCC)
• ReliabilityFirst (ReliabilityFirst)
• SERC Reliability Corporation (SERC)
• Texas Reliability Entity (Texas RE)
• Western Electricity Coordinating Council (WECC)

Critical Success Factors

-Executive support

–Dedicated owner with the right skills, resources to run the program

–Tracking of important schedules & tasks

–Maintaining documentation

–Timely reporting of issues

–Creating a culture of compliance

NERC CIP Best Practices

The four main categories of best practices for NERC CIP compliance include:

Governance

Reporting

Readiness

Reconnaissance