CIP-003: Cyber Security Requirements

  • R1. Cyber Security Policy - The Responsible Entity shall document and implement a cyber security policy that represents management's commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following requirements:
    • R1.1. The cyber security policy addresses the requirements in Standards CIP-002 through CIP-009, including provision for emergency situations.
    • R1.2. The cyber security policy is readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets. (Retirement approved by FERC effective January 21, 2014.)
    • R1.3.The cyber security policy is annually reviewed and approved by the senior manager assigned pursuant to R2.
  • R2. Leadership - The Responsible Entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity's implementation of, and adherence to, Standards CIP-002 through CIP-009.
  • R3. Exceptions - Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). (Retirement approved by FERC effective January 21, 2014.)
  • R4. Information Protection - The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets.
  • R5. Access Control - The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information.
  • R6. Change Control and Configuration Management - The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configuration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process.