Best Practices for NERC CIP Compliance – Reporting

Part 3 – Reporting

Introduction

NERC CIP standards are designed to protect the reliability and security of the North American bulk power system. Reporting requirements for cyber security can be fairly demanding. For example, Cyber incident reporting requirements mean that covered entities must report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.

Below we discuss NERC CIP best practices and specifically reporting related activities to help you maintain compliance and minimize the risk of fines or penalties:

Reporting

As part of Reporting you may need to undertake the following activities and actions:

Incident Response and Reporting

Create Incident Response Plan

Establish a robust incident response plan that outlines the steps to be taken in case of a security breach or violation.

Report promptly

Ensure that all incidents are promptly reported to the appropriate authorities as required by NERC CIP regulations.

Self-Certification.

​The Guided Self-Certification is a monitoring method where a Registered Entity completes a self-assessment of its compliance with applicable Standards and Requirements, and submits substantiating evidence validating compliance.

Compliance Audits and Spot Checks

The Regional Entities utilize several methods to carry out their compliance functions, including regularly scheduled compliance audits, spot checks, and self-certifications. Registered entities are subject to audit for compliance with all NERC Reliability Standards applicable to the functions for which it is registered. Registered entities should have a working familiarity with the NERC Rules of Procedure, the Compliance Monitoring and Enforcement Program for their respective Regional Entity, and other regional documents.  Links to each of the Regional Entity websites are located below. 

• Midwest Reliability Organization (MRO)
• Northeast Power Coordinating Council (NPCC)
• ReliabilityFirst (ReliabilityFirst)
• SERC Reliability Corporation (SERC)
• Texas Reliability Entity (Texas RE)
• Western Electricity Coordinating Council (WECC)

Critical Success Factors

-Executive support

–Dedicated owner with the right skills, resources to run the program

–Tracking of important schedules & tasks

–Maintaining documentation

–Timely reporting of issues

–Creating a culture of compliance

NERC CIP Best Practices

The four main categories of best practices for NERC CIP compliance include:

Governance

Reporting

Readiness

Reconnaissance