NERC CIP-002 through CIP-014 Revision 6
Security Patch Management
CIP-007-6 2.1
2.1 A patch management process for tracking evaluating and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.
M2. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-007-6 Table R2– Security Patch Management and additional evidence to demonstrate implementation as described in the Measures column of the table.CIP-007-6 Table R2– Security Patch Management Part Applicable Systems Requirements Measures 2.1 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAA patch management process for tracking evaluating and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. An example of evidence may include but is not limited to documentation of a patch management process and documentation or lists of sources that are monitored whether on an individual BES Cyber System or Cyber Asset basis. CIP-007-6 Table R2– Security Patch Management Part Applicable Systems Requirements Measures 2.2 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAAt least once every 35 calendar days evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. An example of evidence may include but is not limited to an evaluation conducted by referenced by or on behalf of a Responsible Entity of security-related patches released by the documented sources at least once every 35 calendar days. CIP-007-6 Table R2– Security Patch Management Part Applicable Systems Requirements Measures 2.3 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAFor applicable patches identified in Part 2.2 within 35 calendar days of the evaluation completion take one of the following actions: Apply the applicable patches; orCreate a dated mitigation plan; orRevise an existing mitigation plan.Mitigation plans shall include the Responsible Entitys planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations. Examples of evidence may include but are not limited to: Records of the installation of the patch (e.g. exports from automated patch management tools that provide installation date verification of BES CyberSystem Component software revision or registry exports that show software has been installed); orA dated plan showing whenand how the vulnerability will be addressed to include documentation of the actions to be taken by the Responsible Entity to mitigate the vulnerabilities addressed by the security patch and a timeframe for the completion of these mitigations.CIP-007-6 Table R2– Security Patch Management Part Applicable Systems Requirements Measures 2.4 High Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAMedium Impact BES Cyber Systems and their associated: EACMS;PACS; andPCAFor each mitigation plan created or revised in Part 2.3 implement the plan within the timeframe specified in the plan unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. An example of evidence may include but is not limited to records of implementation of mitigations.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!