CIP-009: Cyber Security Requirements

  • R1. Recovery Plans- The Responsible Entity shall create and annually review recovery plans for Critical Cyber Assets. The recovery plans shall address at a minimum the following:
    • R1.1. Specify the required actions in response to events or conditions of varying duration and severity that would activate the recovery plans.
    • R1.2. Define the roles and responsibilities of responders.
  • R2. Exercises- The recovery plans shall be exercised at least annually. An exercise of the recovery plans can range from a paper drill, to a full operational exercise, to recovery from an actual incident.
  • R3. Change Control- Recovery plans shall be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates shall be communicated to personnel responsible for the activation and implementation of the recovery plans within thirty calendar days after the change is carried out.
  • R4. Backup and Restore- The recovery plans shall include processes and procedures for the backup and storage of information required to successfully restore Critical Cyber Assets. For example, backups might include spare electronic components or equipment, written documentation of configuration settings, and tape backup.
  • R5. Testing Backup Media- Information essential to recovery that is stored on backup media shall be tested at least annually to ensure that the information is available. Testing can be completed off-site.