CIP-006: Cyber Security Requirements and Sub-Requirements

  • R1. Physical Security Plan - The Responsible Entity shall document, implement, and maintain a physical security plan, approved by a senior manager or delegate(s) that shall address, at a minimum, the following:
    • R1.1. All Cyber Assets within an Electronic Security Perimeter shall reside within an identified Physical Security Perimeter. Where a completely enclosed (“six-wall”) border cannot be established, the Responsible Entity shall deploy and document alternative measures to control physical access to the Critical Cyber Assets.
    • R1.2. Identification of all access points through each Physical Security Perimeter and measures to control entry at the access points.
    • R1.3. Processes, tools, and procedures to monitor physical access to the perimeter(s).
    • R1.4. Appropriate use of physical access controls as described in Requirement R4, including visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls.
    • R1.5. Review of access authorization requests and revocation of access authorization, in accordance with CIP-004-2 Requirement R4.
    • R1.6. Continuous escorted access within the physical security perimeter of personnel not authorized for unescorted access.
    • R1.7. Update of the physical security plan within 30 calendar days of the completion of any physical security system redesign or reconfiguration, including, but not limited to, addition or removal of access points through the Physical Security Perimeter, physical access controls, monitoring controls, or logging controls.
    • R1.8. Annual review of the physical security plan.
  • R2. Protection of Physical Access Control Systems - Cyber Assets that authorize or log access to the Physical Security Perimeter(s), exclusive of hardware at the Physical Security Perimeter access point such as electronic lock control mechanisms and badge readers, shall:
    • R2.1. Be protected from unauthorized physical access.
    • R2.2. Be afforded the protective measures specified in Standard CIP-003-2; Standard CIP-004-2 Requirement R3; Standard CIP-005-2 Requirements R2 and R3; Standard CIP-006-2 Requirements R4 and R5; Standard CIP-007-2; Standard CIP-008-2; and Standard CIP-009-2.
    • R2.3. Security Personnel: Personnel responsible for controlling physical access who may reside on-site or at a monitoring station.
    • R2.4. Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access to the Critical Cyber Assets.
  • R3. Protection of Electronic Access Control Systems - Cyber Assets used in the access control or monitoring of the Electronic Security Perimeter(s) shall reside within an identified Physical Security Perimeter.
  • R4. Physical Access Controls - The Responsible Entity shall document and implement the operational and procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. The Responsible Entity shall implement one or more of the following physical access methods:
    • R4.1. Card Key: A means of electronic access where the access rights of the card holder are predefined in a computer database. Access rights may differ from one perimeter to another.
    • R4.2. Special Locks: These include, but are not limited to, locks with “restricted key” systems, magnetic locks that can be operated remotely, and “mantrap” systems.
    • R4.3. Security Personnel: Personnel responsible for controlling physical access who may reside on-site or at a monitoring station.
    • R4.4. Other Authentication Devices: Biometric, keypad, token, or other equivalent devices that control physical access to the Critical Cyber Assets.
  • R5. Monitoring Physical Access - The Responsible Entity shall document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008-2. One or more of the following monitoring methods shall be used:
    • R5.1. Alarm Systems: Systems that alarm to indicate a door, gate or window has been opened without authorization. These alarms must provide for immediate notification to personnel responsible for response.
    • R5.2. Human Observation of Access Points: Monitoring of physical access points by authorized personnel as specified in Requirement R4.
  • R6. Logging Physical Access - Logging shall record sufficient information to uniquely identify individuals and the time of access twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using one or more of the following logging methods or their equivalent:
    • R6.1. Computerized Logging: Electronic logs produced by the Responsible Entity’s selected access control and monitoring method.
    • R6.2. Video Recording: Electronic capture of video images of sufficient quality to determine identity.
    • R6.3. Manual Logging: A log book or sign-in sheet, or other record of physical access maintained by security or other personnel authorized to control and monitor physical access as specified in Requirement R4.
  • R7. Access Log Retention - The responsible entity shall retain physical access logs for at least ninety calendar days. Logs related to reportable incidents must meet with the requirements of Standard CIP-008-2.
  • R8. Maintenance and Testing - The Responsible Entity shall implement a maintenance and testing program to ensure that all physical security systems under Requirements R4, R5, and R6 function properly. The program must include, at a minimum, the following:
    • R8.1. Testing and maintenance of all physical security mechanisms on a cycle no longer than three years.
    • R8.2. Retention of testing and maintenance records for the cycle determined by the Responsible Entity in Requirement R8.1.
    • R8.3. Retention of outage records regarding access controls, logging, and monitoring for a minimum of one calendar year.