NERC CIP-002 through CIP-014 Revision 6_CIP-010-2 1.5

Lionfish Cyber Security | January 31st 2023 |

NERC CIP-002 through CIP-014 Revision 6

Configuration Change Management

CIP-010-2 1.5

1.5 Where technically feasible for each change that deviates from the existing baseline configuration: 1.5.1 Prior to implementing any change in the production environment test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects that models the baseline configuration to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected; and1.5.2 Document the results of the testing and if a test environment was used the differences between the test environment and the production environment including a description of the measures used to account for any differences in operation between the test and production environments.

M1. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-010-2 Table R1– Configuration Change Management and additional evidence to demonstrate implementation as described in the Measures column of the table.CIP-010-2 Table R1– Configuration Change Management Part Applicable Systems Requirements Measures 1.1 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCADevelop a baseline configuration individually or by group which shall include the following items: 1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists; 1.1.2. Any commercially available or open-source application software (including version) intentionally installed; 1.1.3. Any custom software installed; 1.1.4. Any logical network accessible ports; and 1.1.5. Any security patches applied. Examples of evidence may include but are not limited to: A spreadsheet identifying the required items of the baseline configuration for each Cyber Asset individually or by group; orA record in an asset management system that identifies the required items of the baseline configuration for each Cyber Asset individually or by group.CIP-010-2 Table R1– Configuration Change Management Part Applicable Systems Requirements Measures 1.2 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAAuthorize and document changes that deviate from the existing baseline configuration. Examples of evidence may include but are not limited to: A change request record and associated electronic authorization (performed by the individual or group with the authority to authorize the change) in a change management system for each change; orDocumentation that the change was performed in accordance with the requirement.CIP-010-2 Table R1– Configuration Change Management Part Applicable Systems Requirements Measures 1.3 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAFor a change that deviates from the existing baseline configuration update the baseline configuration as necessary within 30 calendar days of completing the change. An example of evidence may include but is not limited to updated baseline documentation with a date that is within 30 calendar days of the date of the completion of the change. 1.4 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAFor a change that deviates from the existing baseline configuration: 1.4.1. Prior to the change determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change; 1.4.2. Following the change verify that required cyber security controls determined in 1.4.1 are not adversely affected; and 1.4.3. Document the results of the verification. An example of evidence may include but is not limited to a list of cyber security controls verified or tested along with the dated test results. CIP-010-2 Table R1– Configuration Change Management Part Applicable Systems Requirements Measures 1.5 High Impact BES Cyber Systems Where technically feasible for each change that deviates from the existing baseline configuration: 1.5.1. Prior to implementing any change in the production environment test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects that models the baseline configuration to ensure that required cyber security controls in CIP-005 and CIP-007 are not adversely affected; and 1.5.2. Document the results of the testing and if a test environment was used the differences between the test environment and the production environment including a description of the measures used to account for any differences in operation between the test and production environments. An example of evidence may include but is not limited to a list of cyber security controls tested along with successful test results and a list of differences between the production and test environments with descriptions of how any differences were accounted for including of the date of the test.

 

Click here to Start your FREE trial today!

Explainer video

 

What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video