The NERC Board of Trustees is meeting this week, and along with that are several standing committee meetings. While the meetings will not be simulcast online, the agendas for the meetings oftentimes include some interesting reading. A couple items from the Members Representative Committee and the Compliance Committee were interesting.
Members Representative Committee
On page 44 of the MRC agenda package, Compliance Guidance Implementation is discussed. They provide an update on the new process where compliance guidance will be vetted by the “ERO Enterprise,” and after that vetting and approval then the guidance will be given “deference” from auditors in all the regions. This update says that the task force is beginning to review existing documents that can be submitted to the ERO Enterprise for endorsment. More interesting, though, is that the CCC members of the task force are developing a process to approve organizations to be able to submit guidance documents even if the organization is not already on the pre-qualified list to submit guidance documents.
Another interesting bit of news is that a CMEP Practice Guide focused on what it means for auditors to “provide deference” is being developed. The guide on how to provide deference will be the first CMEP Practice Guide published. The CMEP Practice Guides are basically guidance created by the ERO Enterprise which provide direction to auditors on how they should conduct audits.
Compliance Committee
Lessons Learned Documents
This one had this great quote: “The CIP Version 5 Transition Advisory Group identified specific issues with the CIP Version 5 standard language, which were temporarily resolved through Lessons Learned documents.”
It then lists the issues that are being referred to the CIP V5 Revisions Standards Drafting Team:
- Transmission Owner Control Centers
- BES Cyber Assets/Programmable Electronic Devices
- Virtualization
- External Routable Connectivity
To call these issues even temporarily “resolved” is quite the stretch. Virtualization is not addressed at all in the Lessons Learned (LL) documents. While the others were addressed, they were not resolved. For example, the LL on BES Cyber Assets doesn’t provide a definition for “programmable,” which forms the basis of the Cyber Asset definition but doesn’t have any clear definition itself.
Note: A coworker told me that she’s heard the same line (“temporarily resolved through LL documents”) used by the V5 TAG several times. This is the first I’ve noticed it, though.
IRAs and ICEs
The 2015 ERO Enterprise Annual CMEP Report was included in the agenda package. It said that there were 236 entities scheduled for an audit in 2015. The Regions conducted a total of 230 Inherent Risk Assessments for entities on the audit schedule, so they got almost all of them. They also performed 31 Internal Controls Evaluations for entities on the audit schedule, or about 13% of the entities that had an IRA performed. It would have been nice to have a breakdown of those numbers by region. Are all eight regions represented in those 31 ICEs? Or are the numbers dominated by just one or two regions? That would be helpful information to have, although it may be available from other sources, I haven’t researched that question.
Outreach Events Focused on Risk-based CMEP
These figures were included in the CMEP report. It seems weird that ReliabilityFirst would have done almost twice as many events as anybody else, but had the second lowest number of participants. These numbers would mean that RF only had about 9 participants per event, which seems quite low. It makes me wonder if the different regions didn’t all use a standardized definition of what constitutes an “outreach event.”
Workentin's Cybersecurity Blog 