NERC CIP-002 through CIP-014 Revision 6
Vulnerability Assessments
CIP-010-2 3.4
3.4 Document the results of the assessments conducted according to Parts 3.1 3.2 and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action items.
M3. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-010-2 Table R3– Vulnerability Assessments and additional evidence to demonstrate implementation as described in the Measures column of the table.. CIP-010-2 Table R3– Vulnerability Assessments Part Applicable Systems Requirements Measures 3.1 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAAt least once every 15 calendar months conduct a paper or active vulnerability assessment. Examples of evidence may include but are not limited to: A document listing the date of the assessment (performed at least once every 15 calendar months) the controls assessed for each BES Cyber System along with the method of assessment; orA document listing the date of the assessment and the output of any tools used to perform the assessment.CIP-010-2 Table R3– Vulnerability Assessments Part Applicable Systems Requirements Measures 3.2 High Impact BES Cyber Systems Where technically feasible at least once every 36 calendar months: 3.2.1 Perform an active vulnerability assessment in a test environment or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects that models the baseline configuration of the BES Cyber System in a production environment; and 3.2.2 Document the results of the testing and if a test environment was used the differences between the test environment and the production environment including a description of the measures used to account for any differences in operation between the test and production environments. An example of evidence may include but is not limited to a document listing the date of the assessment (performed at least once every 36 calendar months) the output of the tools used to perform the assessment and a list of differences between the production and test environments with descriptions of how any differences were accounted for in conducting the assessment. CIP-010-2 Table R3– Vulnerability Assessments Part Applicable Systems Requirements Measures 3.3 High Impact BES Cyber Systems and their associated: EACMS;PCAPrior to adding a new applicable Cyber Asset to a production environment perform an active vulnerability assessment of the new Cyber Asset except for CIP Exceptional Circumstances and like replacements of the same type of Cyber Asset with a baseline configuration that models an existing baseline configuration of the previous or other existing Cyber Asset. An example of evidence may include but is not limited to a document listing the date of the assessment (performed prior to the commissioning of the new Cyber Asset) and the output of any tools used to perform the assessment. 3.4 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCADocument the results of the assessments conducted according to Parts 3.1 3.2 and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action items. An example of evidence may include but is not limited to a document listing the results or the review or assessment a list of action items documented proposed dates of completion for the action plan and records of the status of the action items (such as minutes of a status meeting updates in a work order system or a spreadsheet tracking the action items).
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!