CIP-003: Cyber Security Sub-Requirements

  • R2.1. The senior manager shall be identified by name, title, and date of designation.
  • R2.2. Changes to the senior manager must be documented within thirty calendar days of the effective date.
  • R2.3. Where allowed by Standards CIP-002 through CIP-009, the senior manager may delegate authority for specific actions to a named delegate or delegates. These delegations shall be documented in the same manner as R2.1 and R2.2, and approved by the senior manager.
  • R2.4. The senior manager or delegate(s) shall authorize and document any exception from the requirements of the cyber security policy.
  • R3.1. Exceptions to the Responsible Entity's cyber security policy must be documented within thirty days of being approved by the senior manager or delegate(s). (Retirement approved by FERC effective January 21, 2014.)
  • R3.2. Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and provide compensating measures. (Retirement approved by FERC effective January 21, 2014.)
  • R3.3. Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented. (Retirement approved by FERC effective January 21, 2014.)
  • R4.1. The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP-002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information.
  • R4.2. The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information. (Retirement approved by FERC effective January 21, 2014.)
  • R4.3. The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment.
  • R5.1. The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
    • R5.1.1. Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access.
    • R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verified at least annually.
  • R5.2. The Responsible Entity shall review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity's needs and appropriate personnel roles and responsibilities.
  • R5.3. The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information.